How to sell your data in a post-GDPR world

When it comes to selling app user data, mobile publishers often raise a brow wondering, “Is my customer data safe?” Well, thanks to the new EU General Data Protection Regulations (GDPR), any business that fails to protect their consumer data will be slapped with a hefty, eye-watering penalty. But there’s no need to panic about trading your precious app user data, if you and all your vendors are compliant. Here’s a review of the regulation and how to keep your data in safe hands.


New technology, new rules


Data privacy laws have been around decades before we could unlock phones with our faces and find love with our thumbs. But with a zillion more data points, the GDPR replaces an earlier regulation, the Data Protection Directive 95/46/EC. The update is meant to harmonize data privacy laws across Europe, protect and empower all EU citizens (stiffly referred to in the document as “data subjects*”) with data privacy and to improve the way organizations approach the touchy subject.


*If you're new to the industry but are too shy to raise your hand and ask someone, we've provided a layman's explanation of bolded terms at the bottom of the article.


While there are varying levels of fines, the highest penalty for failing to comply can reach up to  €20 million or 4% of your annual revenue (whichever is higher). Let’s take quick glance at some new changes, you can read it in full here:


  • The right to access: Personal data should be easy to access, free of charge and in electronic format
  • The right to erasure: Users  should be able to remove their data from a database
  • Data portability: The data should be in a machine-readable format so it can be transferred to someone else
  • Privacy by design: Projects, processes, products or systems need to be designed with privacy in mind.
  • Breach notification: Companies have a 72 hour report window to inform their customers of security breaches


How to win in the post-GDPR world


Let’s say you’re on the phone with a representative at a data management platform (DMP) who wants to buy your data. You should have smart questions up your sleeve. Fortunately, being GDPR-compliant is a bit like being a vegan or doing cross-fit, it’s the first thing someone will say about themselves when they meet you. But then you’ll have to dig deeper to find out exactly how compliant they really are. Consider asking the following questions when speaking to your DMP.


Click here to review last weeks blog where we explain what a DMP actually does.


Seek the purpose


Ask your potential partner what types of campaigns the data points will be used for. If your buyer is reluctant to tell you the advertisement purpose, then be skeptical. Not all data is bought and sold equally and ethically.


For example, life insurance companies make money based on their knowledge of someone’s personal medical details. If an underwriter received the data that contained diagnosed medical conditions, lab test results, history of alcoholism, driving records, or passion for jumping over 20-meter wide fire pits on their motorbike, then that client might unfairly receive a high premium or be denied coverage. This is exactly what the GDPR was created for, to ensure that people don’t get discriminated based on their data. Ask your DMP, if they have self-regulated exclusions of verticals or campaign types in their contracts. If yes, have them show you the actual clause in their contract. If no, you might want to work with another partner.


Know the location


Is the DMP’s entire system designed to be GDPR compliant? That’s what “Privacy by Design” means in the GDPR list above. Ask the representative how is the data stored. Is it in an insecure public cloud, a safe public cloud like Amazon Web Services (AWS) or is it on a private server?


If the partner is keeping sensitive information in servers located in countries with tough consumer data privacy regulations like Switzerland or Germany, make it tougher for third parties such as governments to get their hands on the data. The GDPR only applies to companies that have EU citizen data. Countries where the government is free to interfere with personal data should be avoided, we’ll leave it up to you to guess which ones.


Ask about accessibility


On select occurrences, according to the new regulations, users will have the ‘The Right to Erasure’. While it sounds like an uncreative Harry Potter spell, The Right to Erasure means users should be able to request that their information be removed or that their data stops being processed.


Your data partners should be able either immediately access and remove the customer’s data or contact all third parties and stop them from processing the data. While the ability to trace every single customer is limited to technological capabilities, it’s important to ask if your vendor actually knows where the data is going and what routes it takes to get there.




Challenging your DMP or other data partner is the first step towards having a new revenue stream that is both safe and profitable. The GDPR regulation is nothing to fear, and is actually a greater step towards giving the world better quality data. To get a more granular understanding of how your compliant your partner is, ask these additional questions:


  • Do they have a designated data privacy officer internally? Who is it?
  • Has the DMP successfully completed any audits or certificates? (Be critical of the quality of the certificates!)
  • When was the last update to their data privacy policy?
  • Where is their data privacy policy? Ask to see a copy.
  • How do they make sure that data from minorities or minors is not being targeted?


At the end of the day, choose a partner that can provide you with knowledge, skills and support in using data safely.


For more information on GDPR visit or write us at




Mobile publisher: Traditionally, magazine and newspapers ‘publishers’ such as the New York Times sell advertisements to keep themselves in business. Now eyes have moved away from print and swiftly shifted to apps. Now apps themselves have become prime real estate for selling ads. Mobile web developers or any entity that makes money off of apps through advertising are still considered mobile publishers. As pop up ads become more and more irritating, mobile publishers would rather sell anonymous user data with the user’s positions.


Data subjects: According to the information commissioner's office (ICO) a data subject means an individual who is the subject of personal data. In other words, the data subject is the person whom the particular personal data is about. Pretty much everyone is a data subject unless they have died or can’t be identified or distinguished from others.

Written by Jane Leung.
Leave a Comment