Everything you need to know about GDPR and its impact on digital advertising

May 21, 2018 at 2:11 pm

The countdown has officially started: GDPR will come into force in less than four days. On May 25th, 2018, all the countries of the European Union will have to comply with the General Data Protection Regulation when dealing with sensitive data. GDPR is one of the hottest topics within the digital industry right now and, as expected, there are many questions: “What does GDPR mean?”, “How will it affect the industry?”, “What are the leading actors of the regulation?” and so on. No panic; surprisingly, the matter is easier than it sounds. Let’s move one step at a time to learn everything you need to know about GDPR.

What is GDPR?

The General Data Protection Regulation, also known as GDPR, is a new EU regulation that will replace the 1995 European DPD (Data Protection Directive): the goal is to enhance the level of protection of the personal data of all the EU citizens and to increase the obligations of all the organizations that collect and process these data. At the same time the regulations aim at trying to harmonize data privacy and protection laws across all the European Union: it amplifies the requirements by which consumers consent to and allow companies to collect, store and use their personal data for direct marketing. Consent will have to be explicitly given rather than assumed (this leaves no room for ambiguity), it has to be proven and the consumer can withdraw consent at their discretion.

The European Parliament approved the GDPR on April 14th, 2016 and it will come into force from the end of May onward.

“This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”


Three main stakeholders can be identified in the GDPR text: data subjects, data controllers and data processors.

Data subject is defined as any person living in a country of the European Union. A controller is any company or organization that collects people’s personal data and determines how to process these data, while a processor is any company or organization that processes the data on the behalf of the controller but does not decide what to do with the handled data.

Let’s make it simpler.

Data subject → user of an app

Data controller → an app or website collecting data about users for specific purposes

Data processor → a company which will process the above-mentioned data  

GDPR applies to personal data and sensitive personal data. Personal data refers to any piece of information through which a person can be, directly or indirectly, identified such as name, identification number, location data. Sensitive personal data includes special categories of personal data as those relating to race, politics, religion, genetics, biometrics or sexual orientation.

Obligations for controllers and processors

The General Data Protection Regulation establishes a legal obligation for both the controller and the processor. In particular, after taking into account the nature, scope, context and purposes of processing, “the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the regulation” (GDPR – Art. 24). Art. 28 of the GPRD states that “ where processing is to be carried out on behalf of a controller, The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.” Processors are required to maintain records of all the processed personal data and of all the processing activities.

The GDPR is applicable to all the companies operating within the EU borders as well as for those, operating outside, the EU that offer services to individuals located in one of the EU member countries (ART. 3 – territorial scope).

The most important obligation is set by the ART. 33 of the regulation, “Notification of a personal data breach to the supervisory authority”. According to the article, data controllers must comply with breach notification windows. The controller shall notify the breach to the supervisory authority without unjustified delay and, if feasible, not later than 72 hours after having become aware of it. If that timeframe is extended, valid reasons must be provided. The processor shall also notify the controller as soon as he becomes aware of a personal data violation.

Individual rights

The Regulation sets up 7 fundamental rights for individuals living within the EU borders:

  • Right to be informed (ART 13 and 14): individuals have the right to be informed by the controllers about the collection and use of their personal data. Controllers have to provide users with privacy information, meaning why they’re collecting data, how they’re going to use these data, for how long they will retain data. This information has to be accessible and easy to read and understand.
  • Right of access (ART 15): individuals have the right to get access to their personal and sensitive personal data as well as the confirmation that their data have been processed. The right allows them to verify the legality of the processing.
  • Right to rectification (ART 16): individuals have the right to make a request, verbally or in writing, in order to obtain the rectification or completion of inaccurate or incomplete data. Controllers/processors have one calendar month to reply and they can even refuse the request.
  • Right to erasure or to be forgotten (ART 17): individuals have the right to ask for their data to be erased by making a formal request, either verbally or in writing. Controllers/processors have one calendar month to reply.
  • Right to restrict processing (ART 18): individuals have the right to make a request, verbally or in writing, to obtain the restriction or suppression of their data. Controllers/processors have one calendar month to reply. If the request is accepted, data can be collected but can’t be processed. This right is closely related to the right to rectification and the right to object.
  • Right to data portability (ART 20): individuals have the right to export and use their data for their own purposes. They can copy, transfer and store data in a secure way, taking advantage of their own data and understanding their spending habits.
  • Right to object (ART 21): individuals have the right to object to direct marketing, to processing based on legitimate interests, and to processing for purposes of historical or scientific research.

How the GDPR impacts on digital advertising

GDPR is going to have a significant impact on the digital advertising industry. The Regulation will primarily affect programmatic advertising that relies on free flows of data. Many companies buy and sell data, that allows advertisers to run high-targeted campaigns and deliver relevant ads. GDPR will be monitoring most of the data relating to the programmatic sector: this could determine a slowdown in the ability to deliver significant messages. DSPs might have to figure out how to target users without relying on their personal data, while DMPs will face more legal obligations under the GDPR. The new Regulation will make it harder for companies to obtain third-party data, which means DMPs may have to rely more on first-party and second-party data, which is more costly and not always easy to obtain. Hence, programmatic advertisers need to find a way to get users’ consent to the processing of their personal data in order to comply with the new regulation.  

Nevertheless, GDPR will be a benefit to the industry, especially in terms of quality. For too long, digital advertising landscape has been peppered by irrelevant and poor quality ads which negatively impacted on user’s experience and satisfaction, as well as on their perception of advertising. The Regulation will give marketers the opportunity to reset their strategy by being more creative about how they interact with consumers, which will lead to higher hit rates and improved responses due to the increased level of personalisation without intruding on customers’ privacy.

Instal’s compliance with the regulation

Acting both as controller and processor, we take our responsibility towards our customers and their personal data very seriously. That’s why we are working to be meet the Regulation requirements and to be fully compliant once it goes into effect on May 25th, 2018.