← Return to Blog

Not another GDPR update…

So there are only 169 days until the 25th May 2018, also known as the date the General Data Protection Regulation (GDPR) framework comes into effect.

There is still much we don’t know, and as a result, there is a lot of speculation on how this will impact us all. What we do know is that it cannot be ignored, as it will impact all ‘controllers’ and ‘processors’ of personal data, including online identifiers such as IPs, and sensitive personal data. Not even the UK’s decision to leave the EU will affect the commencement of the GDPR.

Therefore, rather than join the speculators, we thought we would update you on the approach and changes Google is making to be ready for GDPR, learned from the “Google Cloud and GDPR – Staying in the Know” event last month. It is an ongoing project for them to be ready, with many questions still to be answered. However, they are changes that will likely have an impact on most advertisers.

They kicked off the event by sharing a checklist for marketing departments: have you asked yourself these questions?

User Transparency and Controls

Providing transparency to end users: how do you currently let your customers opt out?


Getting consent from end users: have you read your recent consent permissions? Are they aligned to how you are using the data currently (internally and externally)?


Systems and Databases

These have to be secure: do you currently record consent at a record level?



Documentation of your data processes: have you documented your process as the Data Protection Act (DPA) will want to see it if investigated?

Google also ran through how they are getting GDPR ready, and how that may impact their ad and measurement platforms. Prior to getting into that, one helpful definition is to understand the difference between ‘controllers’ and ‘processors’.

  • “Data controller” means a person who, either alone or jointly or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be processed.
  • “Data processor”, in relation to personal data, means any person, other than an employee of the data controller, who processes the data on behalf of the data controller.

Therefore, you can see that some of the Google products are both controllers and processers, making this more complex.

What are some headlines on what Google is doing?

Increasing transparency:

  • Improving the ‘My Account’ page, and the ‘My Activity’ area
  • ‘Why This Ad’ link that you see in all Google ads (including search). This shows you the criteria you were targeted by for any given ad
  • google.com is a new site that explains how Google uses your data as a consumer

New product guidelines:

Both Google Analytics and DoubleClick are yet to publish the new guidelines at a product level.

However, in the Q&A, there could be changes in keeping data and data deletion.

Regarding DoubleClick, there were many questions surrounding what we can do with the data after 60 days when it expires in DoubleClick. The answer was that it will probably not be possible to target using that data, although it can be stored as long as it has been collected in a complicit way.

If data is stored on a Google ‘processer’ platform, it is not Google’s responsibility that it was collected with the right consent. For example, first party lists e.g. Customer Match, the point of collection of this data; the ‘controller’ would need to have documentation showing compliance. Article 46 of GDPR covers the use of moving data internationally, which should make this an easier process in and out of the EU.

You can visit privacy.google.com/businesses/ for queries you may have on your business data.

3rd party Audiences

Where 3rd party data is used for audiences, then the 3rd party will need to be compliant not the user. So if using Google Audiences (similar, in market), then Google will ensure compliance