GDPR: What You Need to Know

Starting in May 2018, companies conducting business in the EU will need to be in compliance or risk substantial fines.

GDPR is the General Data Protection Regulation, approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. The main goal of the GDPR is to create a cohesive and common system of privacy laws across all EU member countries and enhance the privacy of EU residents. Like the Data Protection Directive, the GDPR is a principle-based regulation, requiring personal data to be processed fairly, lawfully and transparently for defined purposes only. It requires a business to limit collection of personal data and to safeguard personal data in its possession.

The GDPR raises the bar for processing personal data based on the consent of the data subject. In order to rely on consent, marketers must be able to demonstrate that the individual took some affirmative step to provide consent. You cannot infer consent from inaction, and you cannot condition providing goods or services based on a user’s consent. While this will be a limiting factor in the use of consumer data, it creates a prime opportunity for organizations: opted-in consumers offer brands the chance to create a more personalized customer experience with targeted offers, deals, and coupons that are most relevant to them. This ultimately should improve trust and provide better transparency between the brand and their customers.

From a security standpoint, Recital 49 requires organizations to defend their networks against “accidental events” or “malicious actions” that could end up compromising the privacy and confidentiality of the personal data they have collected, explicitly citing the threat from Distributed Denial of Service (DDoS) attacks. In the event of a breach, companies will have 72 hours to notify their local data protection authority.

Here is some additional information to explain what Neustar is doing to meet the upcoming GDPR regulations:

  • We are reviewing and updating existing Privacy Impact Assessments (PIAs) and creating Data Protection Impact Analysis (DPIAs) for relevant products and services. As part of this review, we update our data inventories, document our processing activities, articulate the lawful basis for any personal data processing, and identify and mitigate associated privacy risks to ensure alignment with GDPR requirements.
  • We have adopted SOC-2 and ISO 27001 compliant data security standards and an enterprise-wide Privacy and Confidentiality Policy embodying GDPR principles and requirements.
  • We are building streamlined data ingestion, inventory, retention/purge and processing systems and technologies to automate the application of our data governance policies.
  • We are reviewing and revising our privacy notices and transparency processes as well as our processes for receiving and responding to data subject requests for access, correction, erasure, objection, and portability as applicable.
  • We have reviewed and revised our customer and vendor facing contractual documentation to ensure that our obligations under GDPR - and our customers' - are fully reflected.
  • We have designated a Data Protection Officer.
  • We have enhanced our existing privacy and security training to include GDPR-specific training.
  • To support international data transfers, Neustar has certified its compliance with the US/EU and US/Swiss Privacy Shield frameworks, the European Interactive Digital Advertising Alliance (EDAA) Self-Regulatory Program and its US Counterpart (DAA). We are also compliant with the Network Advertising Initiative's Code of Conduct, and TRUSTe's TRUSTED Data Program. We have revised our vendor agreements and oversight practices to ensure GDPR compliance when we use subprocessors.

GDPR doesn’t mean the end of effective online marketing. GDPR compliance isn’t rocket science - but it does require a thoughtful and creative review and refinement of data policies and procedures to ensure respect for the new, stronger data protection framework in an increasingly global conversation. Neustar’s GDPR compliance efforts are on track to deliver full compliance in advance of the 25 May 2018 enforcement date.

1. What personal data does Neustar collect and how is GDPR compliance achieved?

The data Neustar processes varies from product to product and sometimes from customer to customer. To ensure GDPR compliance and changing privacy norms, Neustar treats any information that is or reasonably can be linked to an identifiable natural person (a “data subject”) as “personal data.” This includes obviously personal information such as name, address, telephone number, email address, etc., as well as persistent identifiers such as government issued IDs, IP addresses, cookie IDs, advertising IDs, precise location data, etc. We have implemented administrative, technical, and physical safeguards to maintain consumer privacy by segregating information that directly identifies an individual from machine or pseudonymous identifiers.

2. What is the legal basis for transferring data collected in Europe to the United States and elsewhere?

Neustar has certified its adherence to the US/EU Privacy Shield framework, which serves as an adequacy determination under EU data protection law. (We’ve also certified our compliance under the US/Swiss Privacy Shield framework.) TrustArc – an approved provider - reviews and certifies our compliance and also provides independent dispute resolution services. TrustArc has also certified Neustar’s compliance with the European Digital Advertising Alliance code (www.youronlinechoices.eu). We have entered into appropriate Data Protection Agreements, including GDPR required provisions and Model Controller-Processor clauses, with our affiliates and subprocessors, and Neustar will execute EU-approved Model Clauses and Data Protection Addendum.

3. How does Neustar comply with the GDPR principles, including lawful, fair and transparent processing, purpose limitation, collection minimization, accuracy, storage limitation, integrity and confidentiality, and accountability?

Neustar adopted Privacy by Design principles in 2012 and has always complied with Fair Information Practice Principles (FIPPs). To ensure compliance with GDPR requirements, we have conducted an enterprise-wise Business Impact Analysis and are currently reviewing and updating all of our Privacy Impact Assessments (PIAs) and creating Data Protection Impact Assessments (DPIAs) as required. Our personal data processing practices are described in our online privacy statement here. We describe the choices available to data subjects on our website here, and include links to additional information a tools offered by the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA), and the European Digital Advertising Alliance (EDAA). We only collect personal data needed to provide our services, and process personal data only for specified or compatible purposes. Individuals may opt-out of data collection for marketing analytics on our website, as well as on the NAI, DAA, and/or EDAA platforms. We pseudonymize data promptly upon collection, delete full IP addresses after 10 days, aggregate data for reporting, and promptly honor all opt-out requests. We do not process special categories of data (“sensitive data”) and we do not permit our services to be used to determine an individual's eligibility for credit, employment, housing, or for other purposes that produce legal effects or otherwise significantly affects the data subject. Neustar has adopted industry best practices such as ISO 27001 compliant data security policies and procedures.

Neustar is a member of the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”) and adheres to each organization's Codes and Principles. Our IDMP adheres to the European Interactive Digital Advertising Alliance's (“EDAA”) principles described at: www.youronlinechoices.eu. Neustar and its subsidiaries (participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Neustar has received the TrustArc (TRUSTe) Privacy Seal signifying that this privacy statement and our practices have been reviewed for compliance with the TRUSTe program and enabling individuals with unresolved privacy or data use concern that we have not addressed satisfactorily, to contact TRUSTe directly at https://feedback-form.truste.com/watchdog/request.

All of our offerings are designed to serve the legitimate interests of our customers in understanding and enhancing the effectiveness of their advertising efforts, identifying and preventing fraud and malicious online activity, and facilitating safe and reliable user experiences without compromising fundamental privacy rights.

4. How will Neustar comply with other controller/Processor obligations?

As previously indicated, Neustar adopted “Privacy by Design” principles in 2012, and since that time has implemented appropriate technical and organizational measure designed to implement data protection principles by default. As a matter of standard practice we prepare privacy impact assessments for products/services involving personal data processing, and are modifying these templates to comply with the GDPR DPIA requirements where the nature, scope, context and purposes of personal data process is likely to result in a high risk to the rights and freedoms of natural persons. Processors in the United States have long been subject to data breach notification obligations, both to data subjects and to regulators, so we are familiar with these processes (although, with respect to the IDMP, we do not believe that any breach compromising the pseudonymized data is likely to result in a high risk to the rights and freedoms of natural persons). Over the past year Neustar has reviewed, revised, and updated our privacy and security policies to reflect the highest standards. We are accountable for processing undertaken as a data controller, and as a processor we limit our activities via contract to processing undertaken at the direction and on behalf of the data processor. Neustar is currently rolling out a new data architecture, which streamlines and automates data ingestion, inventory, security, and governance. In advance of the May enforcement date, Neustar is implementing policies and procedures to document our processing activities in accordance with Article 30 of the GDPR, and as (previously) a Safe Harbor participant and (currently) a Privacy Shield participant, we have long agreed to cooperate with EU supervisory authorities.

5. How will Neustar ensure compliance with a data subject's access, rectification, erasure and objection rights under GDPR?

Neustar honors all data subject requests to opt-out of the processing of their personal data. Subject to the limitations contained in Article 11 of the GDPR, Neustar will honor access, rectification, erasure, and portability requests. Neustar does not permit use of its services for automated individual decision-making that produces legal effects or otherwise significantly affects a data subject.

We are enhancing our existing online request portal to handle these requests and will also accept emails sent to privacy@team.neustar. We will comply with the GDPR requirement to provide information without undue delay and in any event within one month of receipt of the request.

6. What about data portability and erasure requests?

Much of the data collected and maintained by Neustar as a data controller or on behalf of our customers is proprietary and/or “derived” or “inferred” data that is not subject to the GDPR’s portability requirement. Moreover, the nature of this information is of extremely limited utility to individuals and because the processing of pseudonymized personal data for advertising analytics purposes is justified by the legitimate interests of the data controller not outweighed by the individual’s privacy rights, we do not believe that the portability obligations apply. We are reviewing our procedures carefully to identify modifications that can be made to facilitate efficient receipt and fulfillment of data subject rights requests where they do apply.

Unlike the right to opt-out of direct marketing, the right “to be forgotten” is not an absolute right under the GDPR. Organizations may continue to process data if it remains necessary for the purposes for which it was originally collected and has a legal ground (other than consent) for processing. As indicated above, there are legitimate reasons for processing pseudonymized personal data for advertising analytics and fraud prevention that are proportionate to the privacy rights of data subjects.

7. How will Neustar ensure that it discloses information to the right person?

It is extremely important to avoid release of personal data about one person to another. Accordingly, Neustar requires sufficient information about the individual’s identity in order to reasonably determine that the person making the request is the individual to whom the data relates (or someone authorized by the data subject). The amount of information depends on the nature of the data requested and the means through which it is submitted. For example, if the requestor provides a Cookie ID or places the request electronically, it may be possible to confirm that the Cookies match without requesting additional information. In other cases, we will require reasonable evidence of identity. While we do have some forms of identification that we will always accept, we are always willing to work with the data subject. Neustar’s Data Opt Out Portal is being modified to address GDPR requirements.

8. Who is Neustar’s Data Protection Officer?

J. Beckwith (“Becky”) Burr is Neustar’s Deputy General Counsel and Chief Privacy Officer, and has been designated as Neustar’s Data Protection Officer for GDPR purposes. As Neustar’s Chief Privacy Officer, Becky is responsible for implementing the company’s “privacy by design” program, and ensuring that the company maintains state-of-the-art privacy and data security to protect customer and consumer information.

Becky joined Neustar in 2012 from the Washington, DC office of Wilmer Cutler Pickering Hale and Dorr, where she was a partner in the Communications, Privacy and Internet Law Practice Group and the Financial Institutions Practice Group. Her practice was both regulatory and transactional, focused on e-commerce, information technology, intellectual property licensing, and international regulation of communications and information technology. While she was in private practice Chambers consistently recognized her as a leader in privacy, data security, and information technology law, America’s Leading Lawyers in Business (Global), and The Best Lawyers in America.

Prior to joining WilmerHale, Becky served as the Associate Administrator and Director of International Affairs and the National Telecommunications and Information Administration (NTIA), where she was responsible for the privacy and Internet governance work streams described in the Clinton Administration’s Framework for Global Electronic Commerce. She also served as an Attorney Advisor at the Federal Trade Commission from 1995 – 1997, where she participated in developing the FTC’s approach to competition, consumer protection, and privacy/data protection in the digital marketplace.


Appendix 1

Identity Data Management Platform (IDMP) & Multi-Touch Attribution (MTA)

We collect the following data elements in connection with our IDMP and MTA service:

  • Alphanumeric strings that indicate (i) the ad displayed; (ii) the user’s engagement with the ad (e.g., click on, play video, etc.); and (iii) any conversion activity. These strings are not, on their own, personal data.
  • IP Addresses, which we treat as personal data, are collected. The full IP address is captured in the application logs but deleted after 10 days. A truncated version of the IP address (i.e., last octet dropped) and one-way hashed IP addresses are securely transmitted to the US for use in preparing customer-analytics reports.
  • The referrer URL is captured, including query-string information, to provide improved measurement insights, such as impressions per website and to track non-taggable and organic/earned media clicks for measurement and attribution. Prior to using this data, however, we use algorithms to obfuscate potential personal information (e.g., IP addresses, passwords, emails, financial or other sensitive identifiers).
  • If you are using our onboarding services (available in the UK and France only), we collect hashed email addresses from you, along with coded attribute data. In the UK and France, we also may collect hashed email addresses, mobile-ad identifiers, and/or city/metro area/provincial-level geolocation data from data partners.

Based on the processes described above, with the exception of the transitory storage of full IP addresses, we pseudonymize all potential personal data, and associate this information with alphanumeric cookie IDs. This information is then aggregated to provide information about the number of unique impressions, engagements and conversions per campaign, advertiser, site, audience or location. The aggregation process removes any cookie-level information, i.e., all potential personal data. We retain pseudonymous cookie-level data (events, hashed/truncated IP addresses, URLs) for up to 19 months, and aggregated events data for up to 18 months.

Marketing Mix Modeling

Personal data is not required for MMM service. The following aggregated data may be provided by the data exporter. Please note that these are only examples of types of data collected and is subject to change after closer analysis and review of the customer’s business needs.

  1. Type of marketing activity – including TV, Radio, Newspaper, Out of Home, Online Display, Online Video, Paid Search, Paid Social Media, Direct Catalog, Email, In-Store Marketing, Mobile SMS, Outbound Call Center, Sponsorship Activation, Sponsorship Media, Organic Social, or other paid marketing activity
  2. Date or date range of the marketing activity
  3. Monetary amount spent on the marketing activity
  4. Location of the marketing activity when applicable — such as country, DMA, region, retail-store identifier, or other location information agreed upon by data exporter and importer
  5. Products covered by the marketing activity when applicable – such as specific product, brand, division or other product information agreed upon by data exporter and importer
  6. Measure of online marketing reach, which may include one (1) or more of the following:
    • Impressions
    • Clicks
    • Quantity
    • Circulation
    • GRPs
    • TRPs
    • Spots
    • Calls
    • Social Engagement
    • Event Activation Measure (i.e. Attendance)
    • Quantity Sent
    • Quantity Opened
  7. Additional Information to distinguish the marketing activity from others of the same type can include the following:
    • Media Subtype (Banner, Wrap, etc.)
    • Network / Site Name / Site Type / Search Engine Name / Social Platform / Station / Station Type / Publication / Publication Type / Print Type
    • Length, Daypart
    • Creative Name / Campaign Name / Subject Line
    • Language
    • Program Type / Title
    • Size / Print Page Count
    • Device Type
    • Customer Type for Direct Marketing (Customer or Prospect)
    • Sponsorship Activation may include information on the category, subcategory and activation name of the activity

Fraud, Risk & Compliance Products

At this time, Neustar does not offer its FRC products outside of the United States.