How Nativo is Planning for GDPR


Major regulatory changes are in store for companies that collect consumer data and use it to deliver data-targeted advertising to European Union consumers. The General Data Protection Regulation (GDPR) will soon impact publishers and any digital advertising companies operating in Europe. GDPR is broad in scope, and compliance will vary from company to company.

The GDPR applies to persons established in a EU state, and any organization doing business with them – even if that organization is outside of the EU. If you are a publisher or advertiser with EU audiences that you target, engage, or otherwise track, this legislation likely impacts you. This post outlines how Nativo plans to manage the new landscape, but it is recommended that all customers and partners consult their own legal team.

What is GDPR

As we laid out in our GDPR primer, the GDPR is the new legal framework for consumer data protection in the EU. It repeals the 1995 Data Protection Directive upon which European law is currently based. The new regulation was adopted in 2016 and will be enforceable as of May 25, 2018. According to the GDPR website, the legislation is designed to “harmonize data privacy laws” across the EU and give greater protection and rights to consumers. And since a consumer’s decisions about their personal data may change over time, the GDPR requires organizations to make it easy for individuals to update their preferences, withdraw consent, or be removed from a marketing database entirely.

The GDPR provides these increased protections and control by mandating a 1:1 direct relationship between certain data controllers (generally understood as the first-party data collectors) and consumers. Data controllers need to obtain explicit consent from consumers—in a way that leaves no room for misinterpretation—in order to use consumers’ data for the purposes of online ad targeting, unless there is another legal basis for the collection.

Under the new rules, data controllers are accountable not only for the data they collect and hold within their own platforms, but for data they share with partners for processing on their behalf. Data controllers that share EU users’ personal information with another company (even to store it) must do so via a formal contract that specifically defines how the data can be used by a designated data processor.

Nativo Compliance

It’s important to understand that the GDPR does not take effect until May 25 and the Information Commissioner’s Office (ICO) is still providing guidance on how organizations achieve and maintain compliance across each of the 28 EU states. Nativo is actively reviewing our policies and procedures, updating our contracts, training  relevant staff, and documenting our compliance.

Currently, Nativo’s compliance strategy includes the following measures:

  • Nativo will enter into Data Processing Addendums, where required, with applicable processors and controllers of Personal Data governed by GDPR to ensure that consent, transparency, and data transfer requirements are met.

  • Nativo provides its own opt-out tool for users, and links to third-party tools that offer additional choices, including NAI’s opt-out tools. We will also update our tools for EU users to enable explicit opt-in, where required. Further information is available at this link.:

  • Nativo is in the process of reviewing and updating internal information security measures, data protection contracts with vendors, breach notification policies and procedures, cross-border data transfer solutions and record retention and deletion policies and schedules to ensure compliance with the GDPR.

  • Publishers with EU users will be required to sign a Data Processing Addendum detailing each party’s roles and responsibilities with respect to the collection and use of Personal Data from EU residents.

  • When processing data, Nativo is required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. To this end, Nativo stores all data on AWS secure servers, limits access to authorized employees, and employs data encryption when transferring to authorized third parties for audit purposes.

Follow Up

Details around the GDPR are still being formulated. Nativo will provide regular updates of our compliance procedures as the ICO issues more comprehensive  guidance. Below is a list of resources to help better understand the regulations and plan your compliance strategy: