Awin’s global client strategy director, Kevin Edwards, claims businesses “have to decide whether they are data processor, or data controller” ahead of the GDPR (General Data Protection Regulation).
The statement is part of a blog post in which Edwards lays out the position being taken by the affiliate network in regard to legal data-handling after the May 25 update, and the implications this will have on its advertisers.
The concept of controllers and processors is “not new under the GDPR”, says Edwards, but will have vital importance with the former facing stricter requirements over accountability.
Processor or controller?
To help define these terms, the latter refers to a party that handles personal data on behalf of a data controller and is subject to fewer obligations under the law; it could include storage of data on third-party serves, for example, or working with a data analytics provider.
Meanwhile, ‘controllers’ refer to those parties that control – rather than possess – personal data by determining its purpose and means of use, or the ‘why’ and ‘how’, as Edwards puts it, which can be determined by one party or jointly with others.
According to the network’s own “privacy impact assessment”, Awin categorises it handling of data into the latter position. While its advertisers chiefly determine the purpose of the network’s data use, “they are the ones to determine whether or not to run an advertising campaign when participating”, while the network itself will generally determine the means of its use, such as to facilitate tracking.
“Therefore, we consider that in the ordinary course of our business, Awin acts as a data controller jointly with the respective advertiser,” Edwards states.
As a joint controller, the impact here for Awin and its advertisers, and what will surely be a consideration for other affiliate networks, is that it will assume the same obligations under GDPR as its advertisers: “We will have shared responsibility in safeguarding the data we use for our tracking purposes, and will be subject to the same obligations and level of accountability before data protection authorities.
“Naturally this also means that the traditional controller-processor model will not apply within our relationship and instead Awin and its advertisers will have to regulate their relationship as joint controllers,” Edwards adds.
In efforts to formalise and clarify this arrangement, Awin has introduced a template data processing agreement which defines the network’s obligations and relationship as joint controllers. This audit will include reviewing existing agreements to ensure legal and factual accuracy under the GDPR.
Do you represent an affiliate network? How is your company readying itself for GDPR-compliance? Let us know in the comments section below, or email us your comments to firstname.lastname@example.org.