GDPR Update and Recommended Actions 1 year on


One year since GDPR was enacted, IAB Ireland along with colleagues from IAB Europe met with the DPC (Data Protection Commissioner) here in Dublin to update on V2 of IAB Europe’s Transparency and Consent Framework. 

Below is an update from that meeting as well as an update on the UK’s Data Protection Authority’s most recent guidance.


The DPC observed that as it is currently engaged in a number of investigations in the digital advertising industry, it will not be issuing further guidance in respect of the digital advertising industry until these investigations are completed.

In light of this, the recent meeting was very useful in terms of gaining insights into the DPC’s views as follows:

  • The DPC noted that it is concerned about Legitimate Interest. The use of LI was not ruled out but it was emphasised that processing on that basis would have to be tightly circumscribed and compliance would be analysed on a case-by-case basis. The DPC noted that the farther a vendor was from the user the harder it would be to justify processing on the basis of Legitimate Interest.
  • There was much discussion of the IAB Europe Transparency and Consent Framework, its features and functionality.  In respect of the TCF User Interface the DPC called out seeing some websites displaying on their UI 300 pre-ticked vendors, and no mass choice toggle. The DPC highlighted that this is bad practice and does not comply with GDPR.
  • The DPC considered V2 of the TCF to be quite advanced relative to V1. The DPC noted that the TCF is a roadmap to compliance but it doesn’t equate with compliance; each controller independently is responsible for complying with all aspects of the law. The DPC noted that publishers are joint controllers. They asked that IAB Europe keep the DPC up-to-date on V2 of the TCF publication/rollout.
  • The DPC recognised the economic concerns associated within our industry but they also recognised that monetary considerations cannot keep them from fulfilling their mandate. One year on from the introduction of GDPR it is clear that enforcement action will be taken if companies are not acting appropriately.
  • The DPC highlighted that Data Protection Authorities across Europe  are working much more closely post-GDPR.  There is much more collaboration, sharing of views, etc.  It is a work in progress but the general level of information flow between them is substantially higher than previously. The DPC noted that it will be paying close attention to the ICO (UK Data Protection Authority) and its guidance. With this in mind see the note below on the ICO recent report on Adtech and Real Time Bidding and the Cookie Guidance.


The ICO report on AdTech and RTB identifies two broad areas of concern in relation to RTB and people’s information rights: processing of ‘special category’ data without the appropriate consent, and data security (i.e. how personal data is controlled and protected when it is shared as part of the RTB process). It also raises concerns about industry knowledge and understanding of the relevant legislative requirements that govern processing of personal data set out in the GDPR and the Privacy and Electronic Communications Regulations (PECR), which regulate the use of cookies and similar technologies for sorting or accessing information on a user’s device.

Recommended Actions:

On foot of the report, IAB UK is advising its members to take specific action. Given that our DPC has flagged that it will be paying close attention to the actions of the ICO we would encourage our members to also note the recommendations below.

  1. Review the legal bases that you rely on for data processing, particularly any data that is subject to PECR, and ensure you understand their associated requirements. The ICO’s view is that ‘the only lawful basis for ‘business as usual’ RTB processing of personal data is consent (i.e. processing relating to the placing and reading of the cookie and the onward transfer of the bid request).’ There are limited scenarios where legitimate interest may be available but even in these cases, there are specific tests an organisation must meet in order to use it: ‘Reliance on legitimate interests for marketing activities is possible only if organisations don’t need consent under PECR and are also able to show that their use of personal data is proportionate, has a minimal privacy impact, and individuals would not be surprised or likely to object.’
  2. Read the ICO’s updated cookie guidance report and ensure that your practices are in line with it. They have reiterated some key points about the use of cookies and other similar technologies and how GDPR applies to these. This includes that implied consent is no longer acceptable, and that prior consent is required – given by a user’s ‘clear and positive action’ – for setting and using cookies is required. The exemptions that apply to cookies that are ‘strictly necessary’ do not apply to cookies used for analytics.
  3. Ensure you’ve carried out a Data Protection Impact Assessment (DPIA). Under the GDPR provisions relating to DPIAs, the ICO has published a list of types of data processing for which a DPIA is mandatory. This includes the types of processing involved in RTB, such as profiling on a large scale and tracking geolocation or behaviour.

Finally just to note in respect of the ICO’s updated cookie guidance, IAB Europe is of the opinion that this guidance takes a hard line on making access to content conditional on consent for data processing, cookie walls for online advertising appear to be prohibited.

IAB Ireland will be holding a GDPR briefing in Dublin in September for IAB Ireland Members:

GDPR Update -1 Year on

September 27th, 8am to 11am

Hosted by Facebook Dublin

Attendance is free for Members but please Register here to Attend

Please note this briefing is for IAB Ireland Members only.  Enquiries to: