Call it a sign of the times.
Demandbase has hired a chief privacy officer – the first in the company’s history.
Fatima Khan, who joins the B2B ad tech platform from a prior position as VP of legal at mobile ad network AirPush, will be responsible for ensuring Demandbase’s global privacy policies are up to par – and that they pass muster with General Data Protection Regulation (GDPR) changes.
Although GDPR is a work in process, industry observers agree: Every corner of the ad tech ecosystem could be affected.
Khan spoke with AdExchanger about how Demandbase is preparing for GDPR and predicted what’s next for ad tech and marketing tech.
AdExchanger: Why is Demandbase hiring a chief of privacy?
FATIMA KHAN: I’m going to head up the company’s overall approach to privacy and will be responsible for managing the cross-functional efforts toward GDPR compliance. It’s a critical time to be part of this industry, especially in ad tech and mar tech, because not everything is black and white.
But having been in the industry awhile, I’ve come to realize this is an industry that knows how to adapt. Ad tech and mar tech is scrappy. For example, ad IDs replaced device IDs and companies found ways to comply with COPPA regulations.
What does your role entail?
One way you start to tackle the privacy question within a company is through data mapping. After that, we’re doing a major gap analysis of all of our data and processes … as well as managing internal compliance through training.
We have a few priorities on the list for compliance, the first being updating our privacy policy and ensuring we’re in line and providing adequate notice, choice and transparency to data subjects. From there, we want to make sure our data transfers to the US are legal, so we’re aiming to apply for Privacy Shield.
You’re a US-based company. How can similar companies that engage in cross-border business, particularly in the EU, begin to prepare if they haven’t already?
A major thing is figuring out whether you fall into a “controller” or “processor” bucket. Many mar tech companies may have traditionally been more on the processor side, but in reality – based on what ad tech companies do, especially if you’re providing a lot of additional services around segmentation – you’re definitely going to fall into that “controller” or “joint controller” bucket instead.
In addition, one thing that’s really affected ad tech companies … is the expansion of web accounts as personal data. Identifiable data is also included in the regulation, which includes things like device IDs and IP address, and it really changes the game for marketing and advertising companies because it applies those traditional, personal data rules to new sets of data.
What practical advice would you give marketers or other tech companies?
This is only the start and the regulation at this point is not black and white in many areas. We’re lucky because we already have our data mapped and know what compliance actions we want to put into place.
From an ePrivacy standpoint, one practical consideration would be to understand what type of technology you’re using for which product and why you’re processing that data: What basis for processing do you have in place? Do you have contractual clauses that reflect that?
Or, if you’ll need to rely on another mechanism, such as consent, take that into consideration and determine whether you need to re-evaluate the data you collect, utilize broader segments that don’t rely on personal data or change your use of identifiers altogether.
Interview condensed.
