One of the main reasons that the ad-tech industry is currently in the regulatory spotlight is due to – what the Information Commissioner’s Office has called – a “significant lack of transparency due to the nature of the supply chain and the role different actors play”.

To improve transparency in the digital advertising supply chain, the Interactive Advertising Bureau (IAB) Europe has created an interactive Supply Chain Transparency Guide (the “Guide”), which is now in its fourth iteration.

The Guide provides questions for each stakeholder category (i.e. publishers / media owners; sell side platforms; data management platforms or data providers; demand side platforms; advertisers / agencies) to ask at different stages of the supply chain in relation to data, cost and inventory source.

We have extracted below some of the key data-related questions from the Guide, which can help with understanding and mapping the data flows involved in digital advertising and assessing data protection compliance within the supply chain:

• Under which legal bases are you storing cookies and processing data under the GDPR and national data protection / e-privacy legislation?
• Are you reading IAB Europe Transparency and Consent Framework signals and managing the data according to the consent and purpose given by the user?
• Can you demonstrate the consent mechanism used and does it meet your data collection requirement? Do you have a consent management platform in place?
• How do you handle opt-outs? How quickly are these processed?
• Has the sharing of this data been disclosed to the end-user?
• How has offline data been on-boarded to online?
• How will the data be used?
• Will the data be matched to other data and, if so, how?
• Will the data be shared with additional parties?
• How long will the data be retained?
• How was the data collected and the audience profiled (if relevant)?
• Is the data declared (i.e. given by the user), observed (i.e. based on user behaviour) or modelled (i.e. extrapolated from declared or observed data)?
• Is the data pseudonymous or anonymous?
• Is this first, second or third-party data? Where has third party data been sourced from?
• How old is the data?
• How often is the data updated?
• Is the data modelled and, if so, what modelling has been applied?
• Can the data be applied cross-device?
• What IDs are present in the data?

Of course the relevance of these questions in practice will depend on the specific circumstances, the parties involved, what data is being shared and for what purposes. However, they are a helpful starting point when preparing compliance documents (such as records of processing, data protection impact assessments, legitimate interests assessments and privacy notices) and assessing the relationships between the parties to put in place appropriate contractual provisions.