1. The user is king: As a publisher, you will be required to provide adequate disclosure about data collection, and receive and pass along consent, prior to collecting any data about the users in your audience. If you haven’t kick-started this process yet, now would be the time to start. You must keep a record of such consent and provide users ability to revoke consent at any time. You must also allow users to access, correct, or completely erase all the data you keep about them.

2. Personal data refers to many things, understand what they are: Personal data refers to any information that can be used to directly or indirectly identify the user — whether personally identifiable information (PII) or not. Personal data in this context includes names, email addresses, photos, bank or purchasing details, posts on social networking websites, medical information, a computer IP address, anonymous cookie or any other digital fingerprinting.

3. European presence or not, you must be compliant: Large national and international publishers are certainly more at risk of being out of compliance. However, someone in your audience could simply be traveling in the EU when they access your content for you to be considered out of compliance. Statistically, almost all publishers have some European web traffic, and US-based companies could be subject to class action lawsuits from Europe related to GDPR. These infractions could be very costly.

4. Everyone in the advertising ecosystem has a part to play in compliance: RhythmOne is working with brands and publishers that use our products to make sure they are GDPR compliant. In addition, we are taking close steps to ensure all the publishers, brands, and partners we work with that gather data to obtain user insights, or as part of an advertising transaction, are also GDPR compliant. It is important to remember that everyone in the publishing and advertising ecosystem — any organization that collects, processes, or stores personal data — will be held responsible for misuse.

5. It’s all about team effort: Lean on the industry for support. There are great resources for publishers through industry organizations such as the IAB, NAI and DAA. The technical specifications for IAB Europe’s Transparency & Consent Framework were released on April 24th, and offer critical tools to help publishers, technology vendors, agencies, and advertisers meet the transparency and user choice requirements of GDPR. We are also working with these organisations to ensure we compliant and able to support our publishers.

6. The existing EU cookie law remains in effect: While the EU’s ePrivacy Directive — known as the cookie law — will likely be reformed over the next year, the current law remains in effect. It is still unclear how cases of overlap between these laws will be enforced or how the cookie law will be reformed. The key thing to know is that according to EU regulators, GDPR’s conditions for obtaining consent apply to cookies as well as all other personal data.

7. GDPR should not be seen as a negative for publishers: Despite some uncertainty around compliance and consent, GDPR is a positive development for publishers, who are in a good position to obtain consent. It’s an opportunity for publishers and their partners to build better relationships with their audiences and understand their wants and needs more than they perhaps had before.

8. Failure to comply could put you out of pocket: Fines for violating GDPR can run up to 20 million euros or 4% of your company’s global revenue, whichever is higher. And the risk to your business doesn’t stop there. Advertisers may withhold campaigns if you are not in compliance, or you may lose other partners who want to avert putting themselves at risk.