As GDPR Goes into Effect, MGID Goes into Action

On May 25, 2018 new General Data Protection Regulation (GDPR) will take effect, intending to strengthen and unify data protection for all individuals in the European Union (EU). It will definitely affect the way organizations around the world approach data safety. MGID is proactively working to ensure GDPR-readiness by the effective date.

What is GDPR?

It is the EU new data protection law which replaces the 1995 Data Protection Directive. The GDPR is a crucial overhaul of the current regulations, since the existing rules and laws had been adopted long before the Internet as we know it was “invented”.

The GDPR applies to collection, use and disclosure of “personal data” of individuals working, visiting or residing in the EU. As defined in the GDPR, personal data includes:

  • All data relating to an identified or identifiable individual, which includes personally identifiable information like names, phone numbers, etc. Ad networks do not normally process this kind of data.
  • Device-related identifiers like unique device IDs and IP addresses (which the GDPR describes as “pseudonymous” forms of personal data). MGID does collect this data from end users who interact with publisher websites and other digital media properties that use MGID’s technology.

Data Controllers vs Data Processors

A Data Controller is a person (or business) who determines the purposes for and the manner in which personal data is processed or is to be processed. For example, advertisers who collect information about their clients.

By contrast, a Data Processor is anyone who processes personal data on behalf of the Data Controller. For instance, email service providers or advertising networks.

A Data Controller’s obligations:

  • comply with the the GDPR;
  • implement the right technology and organizational measures and demonstrate that the processing is performed in compliance with the GDPR;
  • keep records of processing activities.

A Data Processor’s obligations:

  • anonymize data by encrypting or removing personally identifiable information from data sets;
  • ensure that all vendor contracts comply with the same requirements as the Data Processor.

By contrast to Data Controllers, Data Processors are not obligated to demonstrate compliance to any supervisory or regulatory authority and are not required to retain records of activities undertaken as Data Controller.

Our commitment to GDPR

We share principles of the GDPR, since data protection has always been a cornerstone of our business. More importantly, we have already taken measures to ensure our compliance with the GDPR.

What is MGID doing to comply with the GDPR?

In preparation for the new regulations, MGID:

  • has created teams of associates from cross functional business lines to manage our GDPR preparation;
  • has appointed Data Protection Officer to advise and review our data processing;
  • has been implementing new tools and processes that meet  the GDPR’s data protection requirements.

Data protection by design

MGID is taking the following steps to demonstrate its consistent position in this regard:

  • The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them).
  • Data minimization: building mechanisms to collect only the data we need and seudonymising such data wherever possible.
  • Data retention: implementing a schedule across all our systems ensuring deletion or anonymisation of the data we no longer need.
  • Security: ensuring the use of adequate security measures to safeguard any data we collect or process.

What does it mean for Internet users?

MGID has always been aiming to balance relevant advertising experiences with privacy expectations while empowering consumers to control what ads they see online. We will keep implementing best practices in online advertising and follow the same principles after GDPR goes into effect.

What does it mean for our clients and partners?

GDPR compliance is a shared responsibility between MGID (data processor) and our clients (data controllers). Clients dictate what data they collect and what MGID does with it.

When getting ready for GDPR compliance, data controllers should consider the following:

  • Identify the data they collect, as well as the data MGID processes and stores on their behalf.
  • Ensure transparency by reviewing their current privacy policies, notices, or other information they provide to end users; obtain consents (if needed). Users should understand how their personal information is collected and processed.
  • Be ready to respond to users who ask what data is being stored about them or decide they want to terminate the relationship.

Further Steps

We at MGID consider the GDPR to be a positive development that will provide an environment of transparency, control and certainty for businesses and consumers. Since compliance is a collective responsibility, we encourage our clients and partners to review and acknowledge their obligations under GDPR. We are prepared to support our clients and partners through their GDPR compliance journey.

In case you have any questions or feedback, please contact us through your account representative.