GDPR: The ultimate resource guide for publishers

With GDPR only a matter of weeks away, the need for publishers to get legally compliant is becoming more urgent than ever. However, on certain issues there is confusion surrounding GDPR and its various ramifications.

In order to cut through the noise and provide clarity to publishers, WNIP has compiled what we believe to be the definitive GDPR Publishers’ Resource.

This will act as a ‘live’ feed and will be updated on an ongoing basis. Scroll beneath the Latest News feed for our comprehensive list of GDPR Resources.

Latest News

April 24th: Google CEO tells investors not to worry about Europe’s upcoming privacy rules

At a glance: When asked whether the new GDPR rules would impact advertisers’ targeting abilities, Google CEO Sundar Pichai emphasized that Google still makes most of its money from search advertising, where the effect of personalization is minimal. However, Pichai’s answer skips over the other 20 percent of its advertising revenue, which comes from its Network Members’ properties.

April 24th: Tech firms could face new EU regulations over fake news and data mining

At a glance: EU security commissioner says new regulations may have to be brought in if tech firms fail to tackle issues voluntarily. The code would include a pledge for greater transparency, including algorithm transparency. Not surprisingly, the proposed regulations have been criticised for undermining freedom of expression.

April 23rdEurope’s new privacy rules are no silver bullet

At a glance: EU national watchdogs still face an uphill struggle to come to grips with their expanded regulatory role at a time when most of their budgets are still relatively small and they remained understaffed. According to Politico, Europe’s expanded privacy standards also will do little to stop companies from harvesting personal data.

April 23rdNine top GDPR tips for email marketing

At a glance: IT Pro’s must-read article underscores the need for marketers ‘not to panic’ and not ‘to try and re-obtain consent from their lists for life-long messaging’. According to Skip Fidura, Dotmailer client service director and non-executive director at the Digital Marketing Association, this is an unnecessary effort. 

April 20th: Global brands commit to go beyond GDPR compliance

At a glance: The World Federation of Advertisers – which represents the likes of Unilever, Mars, Shell and Danone – is launching an initiative to create a data ecosystem that properly respects consumer choices and their right to control their own data and goes way beyond the requirements of GDPR.

April 20th: Facebook moves 1.5bn users out of reach of new European privacy law

At a glance: Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally. Facebook will continue to book revenue through Facebook’s Irish office, but for privacy protections, users will deal with the company’s headquarters in California.

April 20th: The GDPR is spooking location-targeting companies

At a glance: Advertisers want to use location data in ad targeting, but they’re finding the coming enforcement of the General Data Protection Regulation is throwing a wrench in those plans. Some ad exchanges, for example, are reducing and redacting the information made available via their logs, according to some ad tech executives speaking to Digiday.

April 19thData experts on Facebook’s GDPR changes: Expect lawsuits

At a glance: An article in TechCrunch concludes that Facebook is ‘seeking consent from users in a way that’s not fair because it’s manipulative (which) means consent is not being freely given. Under GDPR, it won’t be consent at all.’ The piece emphasises why it’s important to comply with the spirit of GDPR, not just the technicalities.

April 18th: The GDPR is coming and will change Facebook ad targeting

At a glance: Facebook will no longer be able to process news feed posts for ad-targeting purposes, unless those posts are marked “public” or “friends of friends” because they tend to include what the GDPR defines as “special categories of data,” according to sources. Ethnicity, religious beliefs, political affiliation and sexual orientation are the kinds of data defined as special categories.

April 18thReport: Only 34% of Websites in the EU are Ready for GDPR

At a glance: vpnMentor ran a test of over 2,500 websites in the EU that will need to follow the new GDPR regulations and found that as little as 34% of websites are currently compliant. Most of the websites they checked either had old privacy policies, and in some cases no privacy policy at all.

April 17thFirst WhatsApp update since Facebook privacy scandal will make a huge change to your messaging

At a glance: According to a report on WABetaInfo , the latest version of WhatsApp for Android (2.8.113) will allow users to redownload older media files from the company’s servers. But it only seems to go back so far – beyond that users will be given a message asking the sender to re-send the media in question. According to Ian Woolley of Ensighten, “If WhatsApp, with the backing of Facebook, can’t easily provide access to a user’s historical content what can we expect of companies when it comes to even more complicated user consent compliance?”

April 17th: WTF is the CONSENT Act?

At a glance: Meanwhile, waiting in the wings in the U.S. is the Consent Act which has many parallels with GDPR. Its chances of making it through Congress are rated as ‘slim’ but following the Facebook uproar there may be renewed appetite among U.S. lawmakers for this to be ratified into legislation.

April 16thDenham confirms GDPR hotline gets 500 calls a day

At a glance: If you need to call the regulator’s hotline (0303 123 1113 UK | +44 1625 545 700 RoW) don’t leave it too late. They are already getting 500 calls a day, with a wait time of half an hour.

April 16thProg IO San Francisco: What Will Be The Fate Of Third-Party Data After GDPR?

At a glance: The spirit of GDPR is clear, but what that means practically is still unclear according to some participants at last week’s AdExchanger Programmatic I/O in San Francisco. A key event takeaway is that third party data hasn’t been killed stone dead, rather, “the data will just have to get cleaner out of necessity.”

April 16thGoogle’s GDPR approach raises publisher concerns

At a glance: Further fallout from last week’s announcement that Google intends to become a controller of all the data on a publisher’s site. Not for the first time, publishers are viewing the move as “a commercial agenda that whilst wrapped up in a GDPR and privacy-language narrative, looks very much like large vendors seeking to steal ground.”

April 13thGoogle to publishers on GDPR: “Take it or leave it”

At a glance: Google’s proposed GDPR terms claim that it will be a “controller” of all the data on a publisher’s site (not just what they need to serve the ad). By declaring itself a controller over all the data on a publisher’s site, Google is asserting independent control of a publisher’s audience data. This is, essentially, a massive land grab by the already-dominant Google.

April 12th: What Does the EU’s GDPR mean for Blockchain?

At a glance: Publishers looking to make a foray into Blockchain could do worse than heed this warning from Washington DC think tank Coin Center, who say that blockchain technology may be ‘fundamentally incompatible with Europe’s new privacy laws’.

April 11thGDPR: UK watchdog promises ‘proportionate and pragmatic’ enforcement

At a glance: On Monday, the ICO’s Elizabeth Denham said she plans to stick with the ICO’s existing approach to enforcement when the GDPR begins to apply. She describes enforcement as “a last resort” and that “hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.”

April 10th: UK publishers are banding together to get clarity on GroupM’s GDPR policy

At a glance: Some publishers have concerns about what they regard as ambiguous terms in GroupM’s Data Protection Addendum, plus the agency group’s warning that it would likely cease trading with them if they didn’t sign the contract. A meeting has been organised in tandem with the AOP.

April 9th: Publishers Haven’t Realized Just How Big a Deal GDPR is

At a glance: In this outstanding missive, the author writes about GDPR as a concept in relation to media trends, and considers what this means for publishers’ editorial strategies. Spoiler alert: it’s big.

April 9th: A Tough Task for Facebook: European-Type Privacy for All

At a glance: Facebook has just promised to offer its users worldwide the same privacy controls as required under GDPR. To do this, it would need to provide its users with all the data that it has collected or created about them, including any categories, descriptions or assigned behaviour scores.

April 4th: DMA demands answers over threat to third-party data

At a glance: The DMA is calling on the Information Commissioner’s Office to provide urgent guidance on how third-party data will be affected by GDPR, amid growing concerns that the industry could be caught in the cross-fire from the ongoing Cambridge Analytica data scandal. The DMA says the ICO has published “very little guidance for marketers as to how they can buy, share and use third-party data under GDPR” and insists it is crucial that the regulator “addresses the concerns of the industry”.

April 3rd: Apple rolls out privacy features ahead of GDPR

At a glance: Apple will roll out four privacy management tools that will provide users the ability to obtain a copy of their data, request a correction of data and deactivate account or delete the account. The tools, which will be available on the Apple ID account page, will be introduced in the EU in May and later rolled out globally.

Ian Woolley, Chief Revenue Officer at Ensighten comments, “Tim Cook, CEO of Apple, stands out for his unequivocal commitment and advocacy of consumer privacy. Trusted brands, such as Apple, will be rewarded with greater levels of opt-in consent, which will enable them to further develop consumer insights and customised experiences. In contrast, brands with questionable, historical data practices will see low rates of opt-in consent, which will increase their customer acquisition costs. 

“In the new GDPR world it’s critically important for brands and publishers to understand that consumer trust is the new currency. Trust is built by design from the ground up, which includes how data is collected and shared within brands’ underlying website technologies, long before consent is ever granted.”


Information Commissioner’s Office

A general must-read is the Information Commissioner’s Office Guide to the General Data Protection Regulation (GDPR). This is a good foundation and essential reading for anyone looking into GDPR. Unlike what you’d expect from a Government body, the guidance is concise and clear.

What we particularly like is its ‘At a Glance’ overviews covering The Right To Be Informed; Consent; and Legal Obligation.

The Guide also covers GDPR for Children, an absolute must-read for publishers holding data on children.

GDPR for Publishers: The Lawyer’s View

With ambiguity and confusion surrounding certain elements of GDPR, WNIP met with one of the world’s leading legal authorities on the subject, Gabriel Voisin, a partner with Bird & Bird LLP in the City of London.

Armed with a bevy of topics from publishers both large and small, Gabriel answers questions such as, “What is an adequate consent approach?”; “How do I know that my partners are GDPR compliant?”; “How do I, as a publisher, respect the data subject rights?” and many more besides….a 30 minute must-listen.

GDPR for Marketers: The Essentials

Written in conjunction with ISBA and the Data Protection Network, the Direct Marketing Association’s ‘GDPR for Marketers; The essentials’ is, well, essential.

A concise and clear overview, the 30 page tome ends with the uplifting conclusion that whilst GDPR ‘can be seen as a hindrance for marketing activities, a closer examination of the regulation reveals that it gives marketers an opportunity to build more transparent and meaningful relationships with their customers’.

ISBA’s Insight event held in Edinburgh in 2017 with Marta Dunphy-Moriel, Associate at Fieldfisher also provides a clear basic overview of GDPR and the responsibilities it entails.

Checklists for Publishers

The ICO has (helpfully) created self-assessment checklists for both data controllers and data processors which are perfect for independent publishers lacking the resource to hire a dedicated data controller. The Government body has also written a more in-depth checklist which offers a 12-step roadmap to compliance. The latter is an excellent roadmap and guide.


For authoritative information on consent, read the Article 29 Working Party (WP29) guidance. This a legal document, written by lawyers for lawyers – if you don’t have five hours to spare, the ICO’s overview on consent is our preferred reading material. Five minutes, if that.

Revealed: the best time to send GDPR consent emails

In short, avoid the morning! According to SmartFocus, emails sent earlier in the day are more likely to be seen as an intrusion, as recipients are busy at work and going about their day. Consequently, emails sent at night will be seen in a much more positive light.

SmartFocus chief marketing officer Sarah Taylor says: “Knowing when to contact your audience with a request for information or consent can make the difference between success and failure.”

Privacy notices

Yep, the ICO has that covered with this checklist – it will take you through everything you need to be able to write accurate, legally compliant privacy notices.


There is a lot of scaremongering right now. You’ve heard the potential fines I’m sure: 4% of a company’s global turnover or €20 million. That’s enough to sink any publishing ship. However, the Information Commissioner Elizabeth Denham has spoken out about this in the ICO’s blog and tried to allay people’s fears. Yes, the potential fines are onerous but Denham stresses that, “this law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”

Crucially she adds, “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

But what about Brexit?

Because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe, the UK must still comply. In fact, a recent Data Protection Bill, published by the UK government in August 2017, essentially mirrors the requirements of GDPR into UK legislation (meaning those compliant with GDPR should be compliant with the new UK data protection law and vice versa).

Don’t Panic Mr Mainwaring

Perhaps the final word, at this juncture at least, should go to Bird & Bird LLP’s Gabriel Voisin who when asked what single piece of advice he’d give publishers over GDPR, responded, “Don’t panic and just stay calm.”

We’d also recommend this article from Econsultancy entitled, GDPR: Why the opportunities far outweigh the costs’. As the author concludes, “These rules are going to ensure that your organisation is providing a more secure, trustworthy service.” He also adds, “More importantly these changes are going to be enforced worldwide. This means GDPR is not (only) a European issue.”