“All of the below answers apply to Fospha’s core MTA product. Any bespoke additional services (e.g. offline attribution projects) would need to go through a Data Protection Impact Assessment on a case-by-case basis."

" Fospha’s core product contains PII in the form of cookie information.

We believe that our storage and processing of PII will not be affected by the implementation of the GDPR. Our data is not used for outreach, therefore our product doesn’t infringe upon the rights of the data subject. We feel that we are able to process the data on a legitimate interest lawful basis. Despite this, to ensure we are compliant we have adapted our tag to wait until consent is received before sending data back to our servers for processing. This is a configuration that can be switched on or off. This mechanism can be deployed by itself with its own consent dialogue, or can receive a consent flag/value passed to us from your own (or third party) consent console implemented on your site.

We would recommend reviewing and updating as appropriate your privacy notice to reflect the changes of the GDPR.

In terms of data retention, it’s down to the client as data controller to decide and arrange the retention period based on your business cycle and measurement lookback period. Fospha can advise on this on a client by client basis.”