How Bannerflow prepared for GDPR – and survived
GDPR is finally here… and now it’s over?! Well, for those in the know, it’s not over, in fact, it’s never going away. It’s changed how everyone works with data forever. But the truth remains that after years of preparation May 25th came and went at Bannerflow – albeit with a brief traditional Swedish fika.
We jest but getting to a point of project completion took time and effort. It wasn’t the data apocalypse as some might have believed but there were moments of hair pulling. The fact is Bannerflow is GDPR compliant, which is good news for our users and staff.
Like all businesses we’ve learnt much , developed new ways of working, and are now ready for the shiny new era of General Data Protection Regulation. Oh, and in a previous blog on GDPR we joked about making sure you had your lawyers on speed-dial – turns out we weren’t joking!
Here’s a few things we discovered…
GDPR and the Bannerflow platform
Within Bannerflow data is protected. The most important aspect of GDPR – in the product at least – is that we have removed personal data from almost all processes, and entirely from our long term storage.
We don’t collect the personal data of people we serve ads to. Our cookies do not include any unique identifiers. This is how Bannerflow works. Moving forward this is the only way we can and will work. It’s how we’ve implement GDPR in a practical way.
By removing the identifiers, life for our clients – our controllers – is much simpler. Our setup is easier to work with as a controller of personal data.
With the regulation enforced across the European Economic Area, and involving any person, of any nationality present in that area, preparing for worldwide usage is crucial. After all, it is safer and easier to implement a change on a worldwide basis. Especially when you consider Canada and Australia are set to introduce similar regulation too.
Working with our partners
Another way in which Bannerflow prepared for GDPR was by working with partners. Not just our clients and users but specialist companies. One of the most important being PageFair.
Bannerflow joined forces with PageFair to use Perimeter. An initiative with eight other advertising companies that makes sure our platform fully complies with GDPR regulations.
According to PageFair, Head of Ecosytem, Dr Johnny Ryan by being part of Perimeter, Bannerflow “free’s its partners from the burden of the GDPR by carefully avoiding the use of personal data. It will be automatically whitelisted by Perimeter, a technology that blocks all 3rd party elements that leak personal data and breach the GDPR.”
What’s more, “together, we will enable websites to apply a new standard of ethical, privacy technology that better respects their visitors. Privacy and data protection are fundamental rights in Europe. We are proud to work with Bannerflow to help publishers to apply absolute protections of these rights”. Which means we’re able to make sure data is not lost nor misused.
Plus, demystify digital advertising – it’s one of the reasons we exist as a company.
Being transparent over how we operate
An area where we have had to be particularly careful is how we approach using IP addresses. In general, we are not working with IP addresses and we do not store them – but Bannerflow does process them for ad fraud and bot detection.
This is because Bannerflow has a legal interest in removing fraudulent traffic. It’s part of improving the ad ecosystem for all our clients. We do not store anything in violation of GDPR.
For Björn Karlström, Product Owner, (and resident GDPR expert) understanding and interpreting how the regulations affect relationships with our clients is key. “Understand reasonability. In GDPR it’s really important to understand the relationship between controller (the advertiser) and the processer (Bannerflow). It’s also likely that in some cases the advertiser is not as informed as the processor but this will rapidly change after May 25th.” Being open and transparent about how we control data is essential.
Furthermore, clients will have to quickly adapt to a changing ad landscape and the effect GDPR may have on it.
Updating our marketing to be compliant
It’s not just our product where GDPR is having an impact. Another area where we had to make sure we are compliant is in our marketing.
Becoming GDPR compliant has fundamentally changed the way we work for the better. What’s more, the sheer size and scale of the project was unprecedented in the history of Bannerflow. It’s taken over a year for us to reach a satisfactory outcome.
For the marketing team embracing transparency, being open, and building trust have been corner stones to success. However, GDPR has allowed marketing to become even more premium in its communications. It gave the team an opportunity to renew strategy and improve the relationship between customers, prospects and Bannerflow.
For Bannerflow, Digital Marketing Specialist, Lucy Hemingway, implementing GDPR has only been beneficial. “As a marketing department, we are approaching GDPR with a very positive outlook! Our ambition is to share only the finest, most relevant content with our subscribers. When we engage with prospects and customers, they will only see premium content which is exciting and empowering – this is our mission!” GDPR has helped ensure Bannerflow only offers quality communication across a range of channels.
GDPR has also provided marketing with the opportunity to better characterise who we talk to and how – with what content. For example, we have chosen to take intent very seriously, analysing reasons behind someone contacting us and the level of information they require.
We now offer a personalised Bannerflow experience from the moment any conversation begins. Our prospects and clients have always been a face rather than a number but questions regarding ‘why?’ and ‘who?’ over the collection of data are now bigger considerations. An outcome which is beneficial for all parties.
GDPR and how it effects internal processes
Perhaps overlooked in the media is how GDPR affects how data is controlled internally at companies. At Bannerflow we’ve been open about how employee data is processed throughout. We only use information that is necessary for employment purposes after all.
This means that Bannerflow has information on staff contact details such as e-mail address, telephone number, etc. Also information specific to employment, such as information on staff compensation, other benefits, and holiday dates, etc.
Like any other Swedish company this information may be shared with other parties acting on our behalf, but only if required for an intended purpose. If someone leaves Bannerflow, we will delete all information about the employee – which is normal. GDPR has – like everything – helped us improve our ways of working.
Final thoughts and ePrivacy
Lastly, while the process may have taken time and effort, we ultimately believe that transparent use of data benefits everyone.
For our CEO Nicholas Högberg GDPR fits into Bannerflow’s mission statement of removing the mystery from digital advertising. “GDPR is removing another layer of mystery in digital advertising, by empowering consumers, it forces brands to be more creative and thoughtful with their display advertising.” And that is where, as a company, we stand with GDPR.
The lessons Bannerflow has learnt with GDPR are already helping us prepare for the next challenge on the horizon too. That next challenge being of course ePrivacy. Which much like GDPR is set to rock the entire digital advertising industry.
Currently it looks likely ePrivacy will not enter into force until sometime in late 2019. Providing plenty of time for businesses to prepare – if they aren’t doing already doing so.