A Publisher’s Guide to GDPR Compliance


Share on LinkedIn

In case you have been on a round trip to Mars lately, the General Data Protection Regulation (GDPR) takes effect on May 25th. The online publishing sector, amongst others, is bracing itself for these significant regulatory changes.

A quick Google search for GDPR yields thousands of results. However, understanding how these rules apply to your business can be quite challenging. Our new ebook, “A Publisher’s Guide to GDPR Compliance”, will help online publishers understand the actions they need to take to comply with the GDPR.

This eBook will educate you about the various aspects of GDPR, with added emphasis on the hidden aspects specifically affecting online publishing operations, especially the topic of third party services and their impact on GDPR.

The GDPR is gaining momentum due to the magnitude of its impact and legal implications it carries with it, which is putting enormous pressure on decision makers in the online publishing and digital advertising industry.

Simply put, the legal consequences of violating the GDPR guidelines have to be taken seriously. Non compliant GDPR organizations may be fined between 2%-4% of their annual global turnover or up €20 million, whichever is higher. Repeated violations can raise the level of legal penalties to the €40 million range.

In a nutshell, the GDPR requires online publishers, eCommerce websites and all entities with a web presence to perform the following actions while interacting with European (EU) citizens based in Europe:

  1. Collect and process personal data as defined in the GDPR
  2. Prove clear and affirmative consent to process PII data
  3. Appoint a Data Protection Officer (DPO) to monitor activities
  4. Give the client/user an option to be “forgotten” if he chooses to

As per the GDPR, online publishers will also be required to perform mandatory Privacy Impact Assessments (PIAs), also known as Data Protection Impact Assessments (DPIAs). This process has been created for publishers to assess privacy risks created by the collection and processing of sensitive PII data.

The new EU data protection framework has three more legal elements that online publishers (i.e – data controllers) need to take into consideration.

The ePrivacy Directive
The old “Cookie Law” has evolved. While consumers were required to accept the use of cookies every time they visited a website, they rarely had any real control over what PII data is being collected via their browser, and what was stored — or in some cases even sold to third parties.

As per the new ePrivacy Directive, browser settings will allow website visitors to accept or refuse cookies, as well as other ‘identifiers’. Only “non-privacy intrusive cookies”, used to enhance performance and improve user experience, can be implemented without user consent.

IAB Europe’s Guidelines
The Interactive Advertising Bureau (IAB) Europe has also released a new framework aimed at standardizing the process of obtaining user consent.

Online publishers (data controllers) will get to select which Ad Tech vendors (data processors) they wish to continue collaborating with from a centralized list of authorized global vendors. These third party vendors will need to submit an application to appear on this list and pay a predefined admission fee.

Full compliance can’t be achieved just by working with IAB Europe compliant vendors. Online publishers also carry the responsibility of obtaining documented consent from the consumer (data subject) on all vendors’ behalf, not to mention the real-time management of these permissions.

Consent Management Platforms (CMPs)
CMPs enable online publishers to micromanage user consent. More and more businesses are adopting CMPs to manage the consent aspect of getting PII data from their clients. Besides setting and monitoring the statuses of user consent, they allow the management of preferred vendor lists.

Despite not being a mandatory tool for GDPR, CMPs are being adopted by data controllers on a massive scale to optimize user consent management.

Third party vendors are becoming increasingly necessary for modern online publisher to remain profitable. These services are basically autonomous components that are working independently, which can be challenging to monitor, further complicating the GDPR compliance aspect.

Your PII data can also potentially reach new data processors in the form of fourth and fifth party services. Hence, a proper GDPR audit should go beyond first party software on the website and include third party services in Ad Tech and MarTech stacks for a through inspection.

Although there are several ways to determine which services are running on your site, not all of them will highlight the fourth and fifth party dependencies.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here