A little reading for the weekend.  Unless you’ve been partying on a yacht somewhere in the south of France this week, you’ve probably seen the report published by the Information Commissioner’s Office into adtech and real time bidding.  If you’re still too blurry-eyed to read the report, we’ve extracted some of the key “i-lights” from the report, not in any particular order:

“Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.”

“Transparency issues also exist for the ecosystem itself, given the opaque nature of the data supply chain.

For some market participants, these were at best not fully understood or at worst ignored.

“Data supply chain: In many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.”

Invisible Processing
“…’Invisible processing’ is an activity that carries inherent risk to rights and freedoms as it takes place with no or minimal user awareness. The ICO’s Article 35(4) list provides the following definition: ‘Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort (as provided by Article 14(5)(b).’ Our list clarifies that processing operations of this sort, combined with any of the criteria from the EDPB guidelines, require a DPIA. Similar examples appear on a number of the Article 35(4) lists prepared by other European data protection authorities”.

“What we found was an industry that understood it needed to make improvements to comply with the law.”

Europe global vendor list comprises over 450 organisations, each with their own privacy policy. Some of these will be in non-EU jurisdictions, meaning that international transfers of personal data are taking place.”

If you’re an investor of a company that is involved in the collection, processing, storage or trading of personal data as defined within the GDPR/DPA 18 then you may want to review whether your investment could survive a financial penalty – or even survive being instructed by the ICO to stop collecting and processing personal data, or if you’re thinking of acquiring a company that collects, processes, stores or trades in personal information, you may want to ensure that the appropriate due diligence has been carried out to ensure that you don’t end up paying more in the long run (see our blog post about M&A here: https://deslyon.com/2019/05/16/mergers-acquisitions-a-private-matter/).


It appears that with the decision to carry out an Industry Sweep, the ICO states: “Following continued engagement to obtain more information, we may undertake a further industry review in six months’ time.”  It is with almost certainty that the ICO won’t be brushing these issues under the carpet.

If you’re not familiar with the corrective powers bestowed upon the ICO, you may want to cast those blurry eyes over article 58(2) (d) and (f) in particular.

 All eyes really will be focused on the industry to see how it cleans up its act, which “Cannes” only be a good thing.  Chin-Chin!

(the full ICO report is available here: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf)

Share this post on: