Decoding GDPR for Pharma Marketers

April 11, 2018

What is GDPR?

  • Definition: The General Data Protection Regulation(GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR will come into effect across the EU on May 25, 2018.
  • GDPR is the regulation set by European lawmakers to protect the personal information of EU consumers. Any information used to identify a natural person or “data subject” falls within these guidelines. Name, photo, bank details, email addresses, posts on social media, medical information, and IP address are examples of Personal identifiable information under GDPR.

What consumers fall under GDPR?

  • GDPR protects the privacy rights of any European Union based individuals while physically within the border of EU countries. It applies to consumers located within EU countries even if they are not EU residents.  The regulations do NOT affect EU citizens when they are physically outside the EU geographic borders.

What companies are impacted by GDPR?

  • All companies within the demand and supply chain are liable for GDPR breaches.
  • Companies need to establish themselves as controllers or processors in order to know how to be compliant. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
    • Publishers, vendors, and suppliers would be considered controllers.
    • DMPs (data management platforms) would be considered processors.
    • Agencies are in a unique situation as they can be considered both processors and controllers. They are processors for internal data and controllers when acquiring data from 3rd parties.

What does this mean for pharma marketers?

  • No EU consumers can be targeted with audiences built using PII information without clear consent.
  • Make sure all publishers, suppliers, and vendors are compliant under GDPR.
    • Publishers are tasked to revise their privacy policies. GDPR requires consent from end users before their personal data can be processed.  Publishers must have a clear opt-in/opt-out process and explain what is collected and what the data is being used for.  They must also be able to effectively report on and erase customer data if requested.
    • Agencies need to evaluate partners and rewrite contracts to include GDPR requirements when targeting EU consumers.
  • Set up proper audit trails.
    • Transparency around how data is captured and how we gained consent are required.

What are the penalties for failure to comply to GDPR regulations?

  • According to the GDPR official site: Up to $20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements.

What do pharma clients and agencies need to do differently?

  • There are no major changes for our standard ad ops process. We will want to pay close attention to our geo targeting parameters in DCM. If we were to omit US only targeting in error, we could be in breach and subject to large penalties.  We will also want to closely monitor any “out of geo” or “white ad default” delivery to be sure our partners are abiding by our terms.

CMI/Compas will continue to monitor this and keep our clients apprised of important developments.