GDPR and the Advertising Ecosystem

I.    Overview

In May 2018 the European Union’s General Data Protection Regulation (GDPR) will go into force after discussion from every industry forum that does business in the European Economic Area (EEA). As the date rapidly approaches the concepts of integrity, transparency, and responsibility of data must characterise the way of the digital advertising ecosystem in this new age of regulatory oversight. 
This is not without challenges. The GDPR and associated regulations give clear direction not only about what is considered Personal Data, but what roles and responsibilities the companies that collect data have, in what situations they can transfer, and how they preserve the rights of data subjects. In the dynamic functions of the Programmatic Advertising ecosystem, the roles and responsibilities of the participating companies must be clearly defined and a thorough investigation into all aspects the collection and processing of Personal Data must be followed.  
Mobsta has made the commitment to not only protect Personal Data and the rights of subjects, but to create ongoing processes by which all data is accounted, users have transparency as to how their data is handled, and contractual commitments to managing data securely and responsibly are followed by us and all our contracting partners. As we partner with processors of large volumes of Personal Data, Mobsta recognises the responsibility to respect privacy rights and to put in place appropriate standards of data protection. 
This document provides a look “under the hood” at types of data, compliance program, privacy safeguards, and data practices as we approach the May 2018 deadline of the GDPR. It describes the tools and artifacts utilised to ensure that all location, subscriber attributes, segments, and browsing history is collected, stored, transferred and deleted in accordance with the will of the subject, and the regulations of the region. This type of organisational effort allows Mobsta to be a trusted partner in delivering compliant targeted advertising. 

II.    How Data is Used

Mobsta collects data to deliver advertising campaigns from three types of sources:
1) Mobile Network Operators (MNO)
2) SDK and industry sources
3) RTB Bid Stream

Each of the three types of data have different purposes within Mobsta offers. With those differences, all the contractual relationships have, at their core, data privacy and protection principles in the way we collect, store, and manage those data sources. At the core of all our data processing, is the concept of a foundational reference “truth set” from Mobile Operator Networks that enables Mobsta to offer data that is both highly accurate, and privacy compliant. 
Mobsta, processes anonymous subscriber data from Mobile Network Operators (MNO). We collect and utilise this operator data in a privacy compliant way. We do not use operator data to target users directly, but rather as a “truth set” to validate data from multiple other sources. This “truth set” enables us to offer accurate, high quality data without ever disclosing the MNO-sourced user information into the Advertising Ecosystem. All MNO data stays within our secure environment, so concerns about inappropriate third-party transfers of data are mitigated. This allows Mobsta to offer data that is increasingly transparent, accurate, and validated in the ecosystem of GDPR regulations.  
III. Types of Data 

Mobsta also offers the processing of many types of data to deliver advertising solutions. Across the data categories listed below, Personal Data is present as a subset of the data type.  Each element of Personal Data requires a consent mapping as part of a due diligence exercise to determine the entity who receives and implements the subject’s consent. 
For any of the Personal Data in the categories below, especially Location and Session data, the subject’s consent is required not only to collect and utilise the data, but also for selecting segments based on behavioral traits. This is an important distinction to Advertisers as a clear, unambiguous path to targeting an ad to the right audiences requires data that has been properly vetted to be compliant with all applicable regulations and laws. As of May 25, if the path to the device owner’s privacy selections is not known, as is the case in today’s digital advertising ecosystem, the targeted campaign could cost Advertisers far more than the CPM they paid. 
Explicit and unambiguous consent is required by a known source to allow compliance with the GDPR Article 6: Lawfulness of Processing. All organisations in the advertising ecosystem are now subject to this rule and to achieve this, they must know the type of data being processed, the ultimate source of that data, and the ways any data will be updated and maintained by the data subject. Mobsta uses the following data types to validate data and create segments in the Advertising Ecosystem:

A. Demographic data
The attributes in this data type typically include gender and age range. 

B. CRM data
This data type typically includes attributes such as subscriber wireless plan name, plan type and post code. 

C. Location data
Location data defines the geographic location of a device at a point in time. There are multiple data sources to activate location data for monetisation such as GPS signal enabled by Apps, Wi-Fi networks and Cellular networks. This data type typically includes attributes such as latitude, longitude, horizontal accuracy and timestamp. 

D. Session Activity Data
Session activity data is derived from anonymising and aggregating browsing activity data of the user. This type of data creates Segments based on online interests. This data type typically includes attributes such as URL, timestamp, and user agent. 

IV. Compliance with the GDPR

Valuing transparency and accuracy in all our interactions is core to the way we do business. Below we detail various compliance mechanisms that are key to the GDPR compliance strategy implemented at Mobsta. With each compliance area, our long-term commitment to ongoing integration of the principles of the GDPR is evident. In each privacy mechanism described below, we meet or exceed the compliance standard outlines in the EU regulation. 

A. Standard Corporate Clauses (SCC)
Mobsta utilises Standard Corporate Clauses to define how we and our partners manage, handle, and secure Personal Data. Mobsta can be trusted to not only handle the data of European Economic Area (EEA) subjects regardless of where their offices are located, but also must pass through SCCs to all processors of Personal Data that they do business with. This ensures that all Personal Data is handled under enforceable contractual clauses committing to Purpose Limitation for processing data, conduct of Subcontracting, Data Security, Data Subject Rights, Data Quality standards, and Data Transparency and Fairness. This includes all Mobsta contracts that require the transfer of Personal Data such as Data Supply Partners, SSPs, Exchange Partners, Advertisers, and Publishers. 

B.Contractual Roles and Responsibilities
The EU Data Protection Law outlines the responsibilities and roles of organisations that handle Personal Data involving an EEA based data subject. 
These roles are defined in GDPR Article 4 as “Controller” and “Processor”. What control an organisation has in relationship to Personal Data is the determining factor here. The “Controller” is an organisation who determines the purposes for which, and the way in which, Personal Data is processed. By contrast, a “Processor” is one who processes Personal Data on behalf of the Data Controller.
In all our contracts Mobsta and our data partners take the role of the “Processor” of Personal Data, either on behalf of the Data Controller, or as a Sub Processor on behalf of other Data Processors. In being a Data Processor, we have committed contractually to GDPR compliant clauses which:
1) Qualify our contracts as GDPR compliant where roles and responsibilities are defined and transparent in compliance with GDPR Article 24 – 43; and
2) Have a defined, explicit scope for processing the Personal Data in conjunction with the Data subjects’ privacy rights and consents as managed by the Data Controller. 
By relying on the contractual relationships, indemnifications, and direction of the use of the data that is compliant with the GDPR’s requirements for a Data Processor enables customers to know that the Data Controller has a legal obligation, not only to us and our partners, but also to their users in an explicit, clear, and documented way. This satisfies GDPR requirements for legal processing and transparency in the collection of Personal Data. 

C. Data Processing Addendums (DPA)
In addition to the SCCs, the contractual clauses that define Mobsta as a Data Processor with their data sources are documented and enforced through Data Processing Addendums (DPA). This is required for all contracts where Personal Data is collected and processed in compliance with GDPR Article 28. As of May 25, when we are processing data that includes Personal Data for EEA subjects, a DPA must be signed with the Data Controller or Data Processor that we collect the data from. This is a nonnegotiable requirement. If an organisation in the Ad ecosystem cannot commit to / sign the provisions of a GDPR compliant DPA (as defined by Article 28), then Mobsta will not process Personal Data on their behalf. 
The content of the Data Processing Addendums includes security measures we use to collect, store, and use data in the specific product and services described in the contract. It also clearly defines the roles and responsibilities for each party in handling Personal Data belonging to EEA subjects. It also commits both parties to following the regulations of the GDPR and other applicable privacy regulations as a condition for establishing a business relationship. The DPA also gives the Data Controller the right to audit, change, and eliminate the processing we do. This is important for Mobsta’s advertiser clients, as this ensures that all data used in targeted advertising has a transparent path to the data subject, eliminating unknown data sources, and creating a transparent path to legal processing. 

D. Consent Management and Processing
One of the main issues for the advertising ecosystem is ensuring that the Personal Data used for targeting ads has the explicit consent of the user. The GDPR Article 6 addresses the Lawfulness of Processing for Personal Data. As many ecosystem players relied previously on the regulatory concept of “Legitimate Interest” to collect and use Personal Data, the GDPR has reduced this application of legal processing in most digital advertising scenarios. The ability to collect and maintain consent in compliance with Article 7, requires having data sources that Advertisers can depend on, who have the ability and requirement to obtain clear, transparent, and compliant consent from their data subjects. As a contractual condition of the DPAs, Mobsta requires that Controllers are held responsible for the consent of the data subjects as expressed in the required clauses detailed in Article 28. This allows the Advertisers to know that only execute compliant data contracts that ensure the correct user consent is obtained. 

E. Privacy by Design and Default (DPIA, Retention, Evaluation, and Data Inventories)
Mobsta and its partners have deployed privacy methods and procedures for many decades all over the globe in conjunction with their MNO customers and our regulatory and contractual commitments. The GDPR mandated Privacy by Design and Default (PbD) in conjunction with Article 25 is a requirement for Controllers only, yet, we, as a Data Processor, still require PbD methods for products in the EEA. 
These PbD processes include the following:
1) Evaluating all types of data collected for applicable regulatory and business integrity compliance (Article 5)
2) Completing Data Protection Impact Assessment (DPIA) for all collected data in the EEA (Article 35)
3) Maintaining a data inventory of all data flows and data elements/types used in the production of audience segments and location verification on behalf of Data Controllers and Processors. This includes data at use, motion, and rest (Article 30)
4) Implementing processes to ensure data retention limits are implemented Article 5(1)(e)
5) Eliminating all Personal Data belong to Data Controller or Processor when the contract is no longer in force (DPA Clauses Article 28)
6) Continually evaluating appropriate data security measures for the regulatory and contract obligations and data types such as encryption, pseudonymisation, and appropriate firewalls (Article 32)

F. Data Subject Rights
Lastly, we will cover the tools by which Mobsta protect the rights of data subjects in the EEA. The GDPR gives data subjects the right to consent, remove consent, acquire, correct, and delete (Article 12 - 23) all forms of Personal Data an organisation holds on them. They also have the right to object to the legal processing (Art, 21), automatic processing (Art. 22), as well as file a complaint with national regulatory authorities, and the right to pursue civil litigation and appeal decisions if they are unhappy with the outcome of their case. 
Mobsta has developed procedures and process to address all rights of the user. As we covered our methods for consent management in a previous section, we also have methods to find and act to the subjects wishes for any personal data we may have by AdID, IP Address, or other pseudonymous indicators and to communicate with data source partners when the situation requires.  We also have posted on our external website, information and contacts to assist data subjects through our DPO and give information they need to file a complaint with the supervising authority in full compliance of the GDPR. 
G. Extraterritorial Scope
The GDPR, unlike the current Data Protection Directives, have an extra territorial scope in that they include compliance from organisations that may not be in the EEA, but are involved in the collection of Personal Data on EEA data subjects. The GDPR defines data subjects not by citizenship or residency, but as any person in the EEA. This could mean a visitor to the EEA region on a mobile device, or a website or any application or website that is accessible to EEA subjects.  Mobsta has evaluated these scenarios and has created ways to identify and flag user data that is applicable to the GDPR regulations. We have spent much of the last year defining process methodologies that apply to any data collected in the EEA, regardless of where our partner or customer may be physically located. This allows Advertisers to know that all data used for their campaigns is handled appropriately. Mobsta stores and processes all data obtained from EEA subjects regionally in the EU. 

V. Conclusion
With GDPR in full force (as of May 25th, 2018), Advertisers need to question and practice due diligence with the suppliers and partners they depend on in the EEA. It is easy for organizations to say that they are GDPR compliant or are somehow exempt from GDPR, but the proof of compliance requires a larger effort. The validation of GDPR principles lies in the five following areas:
1) Appropriate contractual clauses, obligations, processing roles, and DPAs that are compliant with the GDPR
2) Process and procedures that give transparency to data subjects and maintain data protection and security required by the GDPR
3) A clear vision and responsibility to have, maintain, and act appropriately on consent decisions of the data subjects
4) Build a PbD process that is consistent and repeatable to maintain privacy principles
5) Respect and enable the rights of data subjects given by the GDPR and regional privacy laws.
Our campaign delivery products were built from the ground up with data privacy, integrity, and transparency on the forefront of our business priorities. We have built a foundation of data protection guidelines for every product and processing decision to ensure regulatory interpretation and implementation in all our services, contracts, and operations. As regulation evolves in the coming years, Mobsta will continue to be a trusted leader in data protection and compliance.