"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Tobin Ireland, co-founder and CEO at Smartpipe.
When it comes to adding agencies to their portfolios, the major media groups are certainly not afraid to spend big. There were 398 acquisitions in 2016 with a total investment of $14 billion, according to consultancy R3. The Big Six – WPP, Dentsu, Havas, Publicis, IPG and Omnicom – were responsible for 89 acquisitions, at a value of more than $3.3 billion.
Figures through September showed 291 acquisitions this year. And in this game of agency supermarket sweep, many of the targets come from the data, digital and programmatic aisle.
But while collecting emergent businesses has always been the no-brainer route to revenue growth and new capabilities that – hopefully – future-proof the holding company, some regulatory changes may cast those shiny new purchases in a different light.
For instance, after May 2018, any company processing the personal data of EU citizens will need to comply with the General Data Protection Regulation (GDPR), a strict law that outlines how personal information should be used. And, as most global corporations have European subsidiaries or clients, the GDPR butterfly effect will likely reach them, too.
This might be less of a problem if global media, marketing and advertising holding companies had a track record of creating tight command-and-control structures for their operating companies or driving uniform organizational culture and operating models across each of their subsidiaries. But they don’t do that for very good reasons: They are creative-led businesses, which generate value with a diverse corporate portfolio.
So, what will the GDPR mean for international super-agencies and how can they manage the changes it brings?
For media groups, the greatest impact of the GDPR is increased accountability. As the parent company of multiple agencies, the buck will stop with them when it comes to compliance – any fines are based on the holding company’s revenue and not the operating companies. And this will pose a sizeable challenge on two counts: first, because bringing fragmented agencies in line is no easy task, and second, because there are many rules to follow.
In short, the regulation gives users greater control, such as the right to access personal data held about them and to ask for data deletion. Personal data is defined as any information that makes individuals identifiable, and that includes a collection of identifiers considered anonymous in certain countries, such as the US. It also states companies must obtain unambiguous consumer consent to gather their data via plainly worded requests, which need to specify how it will be used. Companies must also report data breaches within 72 hours, build privacy protection into new systems and appoint a data protection officer.
Again, it is worth noting that the penalty for non-adherence is severe: Agencies that fall foul of the laws could incur fines equivalent to 4% of their parent company’s global annual turnover or 20 million euros. So, if a boutique media agency mishandles personal data, the fines it faces will be based on parent company turnover, which could be a seismic blow. Are those management teams, in the throes of their earn-out, thinking about that bigger denominator?
Thus, the weight of accountability for ensuring GDPR requirements are met by every group branch is highly complex and requires holding companies to be proactive and controlling in ways they are not used to. But that’s not all: There’s also the need to take client concerns into account.
Brands are not unaware of GDPR and its potential to hinder marketing activity if agencies don’t abide by its rules. As a result, it’s likely large media groups will also begin to see increasing demands from clients for a clear view of their data procedures and what they are doing to align with the GDPR.
The existing Data Protection Directive required good data practices from data controllers, and it also forced data subjects to prove a lack of compliance. But the GDPR extends responsibility for good data practices to data processers, and it puts the onus on data controllers and processors to prove they are compliant. As a result, brands will be especially keen to receive assurance that the data used and provided by agencies is secure and won’t put them at risk of unwitting noncompliance.
Just as we have seen brand safety move rapidly up the advertising agenda, so we will see increasing calls for “data safety” over the next 12 to 18 months of the GDPR and ePrivacy regulation.
How Can Agencies Meet The GDPR Deadline?
Considering the GDPR’s scale, it’s not entirely surprising that a high proportion of companies do not yet feel ready. According to a recent survey by the World Federation of Advertisers, one in four organizations are still in the initial preparation stages, and fewer than half (41%) have a strategy in place. But as the May deadline rapidly approaches, it’s crucial for all companies, particularly large corporations, to develop a robust GDPR game plan.
The press is awash with articles giving guidance on compliance. These articles tend to be inward facing and focusing on the internal management of personal data. The digital advertising industry is characterized by its external-facing nature as data flows between companies. As that data crosses the firewall, it is the “single point of failure” for advertising businesses.
The GDPR is coming and, for those with any EU presence, its effects will be substantial. With a range of agencies to bring into order, new regulations to follow and an increasingly fragmented set of technical and commercial relationships, global media groups have a long road ahead. By getting a head start now and thinking about building sustainable data strategies, not just compliant ones, they can ensure their organization will be both successful and safe after May.
Follow AdExchanger (@adexchanger) on Twitter.