In this webinar, see the specific impacts of GDPR on B2B companies as they plan, budget, launch and measure success from ABM advertising programs that reach and engage the 500 Million+ citizens of EU countries and the UK. Our panel of experts will cover the IT, Legal, Marketing, Data and Technology Provider side of GDPR compliance. All of these dimensions need to be addressed as you plan for the world of GDPR.
2. Speaker Introduction: Mani Iyer
Mani Iyer
• CEO, Kwanzoo Inc - Leader in ABM Advertising for B2B Enterprises
• Serial Entrepreneur, Startup Advisor
• Founded/sold e-learning platform business to Oracle
• Senior Tech/Marketing Executive at Oracle, CA/Ingres, Microsoft
• MS CS, University of Wisconsin
• BS EE, Indian Institute of Technology
3. Speaker Introduction: Sid Yenamandra
Sid Yenamandra
• CEO & Co-founder, Entreda –Cybersecurity Risk Mitigation Software
• Serial Innovator, Advisor and Technology Entrepreneur
• VP of Product at Plato Networks (acq. by Netlogic/Broadcom)
• Head of NSA-funded crypto acceleration program
• BS EE & CS, UC Berkeley
4. Introduction: Francoise Gilbert
Francoise Gilbert
• Shareholder/Partner, Greenberg Traurig LLP, Silicon Valley,
California (USA)
• Practice focused on Information Privacy & Security, Data Science,
and Emerging Technologies
• Author & Editor, Global Privacy & Security law (two volumes, 3,800
pages, 68 countries) Aspen/Wolters Kluwer Law & Business)
• Founding Member & Lead Counsel, Cloud Security Alliance
• CIPP/US, CIPP/Europe, and CIPM certifications from the
International Association of Privacy Professionals (IAPP)
• Admitted to practice law in California, Illinois and France
5. What is GDPR - Overview
• EU General Data Protection Regulation EU 2016/679 (GDPR)
- Signed: April 27, 2016;
- Enforced as of: May 25, 2018
• GDPR expands scope and jurisdiction of prior data protection laws
• Replaces the EU 1995 Data Protection Directive, and supersedes
all national laws that implemented the 1995 Directive in the EU
and EEA Member States
- EEA = EU + Norway+ Iceland + Lichtenstein
• “Regulation” means one single law throughout the EU/EEA
territory.
- Not really. GDPR allows member states to add,
or supplement provisions
6. Why is the GDPR relevant outside the EU/EEA?
• GDPR will apply to numerous non EU/EEA entities
• Two ways to assert jurisdiction
• Entity is established within the EU/EEA
• Processing of personal data by any controller or processor established in the
EU/EEA
• Entity is not established in the EU/EEA, but
• Is a data controller (determines the purpose and means of the processing) or a
data processor (processes data on behalf of a controller)
• Is processing personal data of data subjects who are in the EU/EEA
• And the processing activities are related to:
• The offering of goods or services to individuals within the EU/EEA, even if no
payment is required; or
• The monitoring of data subjects’ behavior in the EU/EEA
7. GDPR Data Processing Principles
Lawfulness, fairness, and transparency
• Processed lawfully, fairly and in a transparent manner
Purpose limitation
• Collected for specified, explicit and legitimate purposes and not further
processed in a manner that is compatible with those purposes
Data minimization
• Adequate, relevant and limited to what is necessary in relations to the
purposes for which the data are processed
Accuracy
• Accurate, and where necessary kept up-to-date; ensure that inaccurate data
are erased or rectified without without delay
8. GDPR Data Processing Principles
Data retention or storage limitation
• Personal data must be kept in a form that permits identification of data
subjects for no longer than necessary for the purposes for which the personal
data are processed;
• Exception for archiving for public interest, scientific or historical research
purposes, or statistical purposes
Security, integrity, and confidentiality
• Personal data must be processed in a manner that ensures the security of the
personal data, including protection against unauthorized or unlawful
processing, and against accidental loss, destruction or damage, using
appropriate technical or organizational measures.
9. Data Processing Principles; Fines
Accountability
• The data controller is responsible for; and must be able to,
• Demonstrate compliance with the Principles (in the prior slides)
Inability to demonstrate compliance (through written policies, record-
keeping, etc.) may expose to a fine of the higher of
• Up to EUR 20,000,000 or Up to 4% of the entity’s total annual global gross
revenue, in the most serious cases
10. Lawfulness of the processing
Processing (collection, use, sharing, …) is illegal unless one of the following
occurs:
• Data subject has given consent to the processing of his/her personal data for one or
more specific purposes
• Processing is necessary for the performance of a contract to which the data subject is
party, or in order to take steps at the request of the data subject before entering into a
contract
• Processing is necessary for compliance with a legal obligation to which the controller is
subject
• Processing is necessary in order to protect the vital interests of the data subject or of
another natural person
• Processing is necessary for the performance of a task carried out in the public
• Processing is necessary for the purposes of the legitimate interests of the controller or
a third party, unless such interests are overridden by the interests or fundamental
rights and freedoms of the data subject that require protection of personal data.
11. Responsibilities of Data Controller
Controllers Must:
• Keep written records of their processing activities (expect if less than 250 employees)
• Be able to demonstrate that the processing is performed in accordance with the GDPR;
• Implement appropriate technical, physical & administrative security measures
• Disclose promptly breaches of security
• Conduct appropriate due diligence when selecting processors, sub-processors
• Enter into written contracts with processors regarding scope of data uses, and protection
of personal data with specific provisions
12. Responsibilities Data Processors
A data controller that engages a data processor must:
• Use only processors that are able to guarantee that the processing will meet the
requirements of the GDPR and ensure the protection of the rights of the data subjects
• Enter into a written contract that meets specified requirements
• Provide written instructions to the processor regarding the permitted activities
• Processor may not engage another processor (“subprocessor”) without prior authorization
of the data controller
• If processor engages third parties, processor must have written contracts with each sub-
processor incorporating restrictions similar to those in the controller to processor
contracts
13. Cross Border Data Transfers
Transfers of data outside the EU/EEA are prohibited unless an exception
applies
Measures that can be used to legitimize transfers:
• Binding corporate rules
• Standard contractual clauses or other contractual clauses approved by a data
protection authority
• Privacy Shield
• Approved code of conduct or certification mechanism
Several derogations, e.g.:
• Individual gave explicit consent
• If transfer is occasional and is necessary to comply with contractual obligations
14. Rights of the Data Subjects
▪ Right of access
▪ Right of rectification
▪ Right of erasure (“right to be forgotten”)
▪ Right to data portability
▪ Right to restrict the processing of their personal data
▪ Right to object to the processing of their personal data
15. Rights of the Data Subjects
▪ Right to object to the processing of their personal data for direct
marketing purposes
▪ Right to not be subject to a decision based solely on automated
processing, including profiling
▪ Right to lodge a complaint with a supervisory authority
▪ Right to an effective judicial remedy where data subjects rights have
been infringed as a result of data processing in non-compliance with
GDPR
▪ Right to mandate a non-profit organization whose statutory objectives
are in the public interest and that is active in the field of data protection,
to initiate a complaint on behalf of the individual
17. GDPR constituents and data workflows
Data Processor Data Collector Data Subject
Company delivers tools
used to collect web
analytics data
Beneficiary of data for web
analytics. Responsible for
collecting, aggregating,
comparing web analytics data
Every person is
considered a data
subject. Entitled to
access, correct or
disallow data collection
Sample Workflow:
Data Processor Data Collector Data Subject
Generates consent
request
Consent received
Consent provided
Consent saved
Data use report saved
Consent + Guidelines
passed to processor
Data Processor uses
data as instructed
18. User consent is a big deal …
• Consent is the biggest item that all marketers are grappling with
• Communication needs to be transparent, easily identifiable as
marketing material and who it is from, and include clearly marked
opt-out functionality
• Opt-out functionality is super important
• B2B organizations already have cookie policies in place. All users
must be presented with simple opt-in/opt-out cookie consent
choices
• List purchase is still viable under new regulations as long as the
list owner has the permission to use the data for that specific
person
19. So, how do we get GDPR compliant?
• Nominate a data protection officer
• Document all aspects of your company’s interaction
with data
• Pay close attention to data subject rights … data
portability, right to be forgotten, erasure etc.
21. ABM Job Title Targeting Process Flow
North
America
& UK
Target
Accounts
ABM Ads
Served
Customer
Ad Creation,
Program Setup,
and Media
Execution
Programmatic
Ad Buying
ABM
Engagement
Reports
DSP
ABM Cookie
Database
Accounts,
Job Titles,
Functions, and
Level Filters
Data Management
Platform
1Billion+ B2B Cookies
Website Tracking Tags
on Customer’s
Website + Microsites
Email Delivery + Platform
Dashboards + CRM Screens
+ Data APIs Engagement Data
Collected
22. Kwanzoo Account Coverage Today (Before GDPR)
200M
1 Billion+
Kwanzoo
(Integrated with
ODC|BlueKai )
Most Other Vendors
Reachable Contacts
(Based on Cookie Data & Device IDs)
Reachable Regions with IP Database
Kwanzoo (multiple 3rd party IP providers)
Most Other Vendors
Access 5x more contact data with Kwanzoo
23. The ABM Advertising Ecosystem: Roles Under GDPR
Advertiser or Agency (Representing Advertiser) Controller
Publisher Controller
ABM Display Platform Processor
Publishers or Platforms capturing 2nd Party EU User
Data for Advertisers (or their Agencies)
Joint
Controller
Data Marketplace Hosting 3rd Party Data Providers Processor
3rd Party Data Providers feeding EU User Data into
Data Marketplaces
Controller
Data Management Platform (DMP) Hosting 1st Party
and 3rd Party Data
Processor
Demand Side Platform (DSP) Processor
Ecosystem Participant GDPR Role
24. ABM Ad Targeting Options Before and After GDPR
Before After
ABM Job Title Targeting:
• US
• UK
ABM IP Targeting
• EU
• All Other GEOs
ABM Job Title Targeting:
• US ONLY
ABM IP Targeting
• EU
• UK
• All Other Geos
25. ABM Reporting Before and After GDPR
Before After
EU:
• Account Engagement Insights
from IP targeted ads
UK:
• Account Engagement Insights
from IP and cookie-targeted ads
• Aggregate Buyer Insights from
cookie-targeted ads
EU:
• Account Engagement Insights
from IP targeted ads
UK:
• Account Engagement Insights
from IP targeted ads only
40. But I am not selling to EU citizens
directly. Do I still care about GDPR?
[APPENDIX]
41. How does GDPR affect site
Cookie Policies? What about IP
addresses? [APPENDIX]
42. What’s the difference between
Directives (issued earlier) and
Regulations (coming into effect) in
terms of how they are administered
or applied? [APPENDIX]
43. What are data privacy rules in use
today in the UK and EU? How are
they changing under GDPR?
[APPENDIX]