General Data Protection Regulation (GDPR)

As we are all aware the GDPR (General Data Protection Regulation) comes into force on 25th May 2018. Due to the importance of complying with the regulation, a number of UK affiliate companies have collaborated to ensure publishers receive clear, industry-wide guidance and a consistent message from companies they work with.

GDPR for Publishers

  • What is the GDPR?

    The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of personal data across all EU markets. Think of it as a new set of data laws fit for the digital age.It replaces current national data protection laws and the existing EU data protection framework. The GDPR is designed to give consumers more control of their personal information and applies identically across Europe. Regardless of the UK’s future relationship with the EU, the British Government has stated it intends to implement the legislation equally alongside EU member nations.

  • An Industry consent solution

    Given the potentially significant impact on all forms of online advertising the industry has collaborated to create general standards and approaches. In November 2017 IAB Europe announced a technical standard for online consent and industry stakeholders are building a consent tool which is intended to ensure GDPR and ePrivacy Directive compliance in time for the May deadline. If you choose to feature a consent solution on your website you may be able to use free versions that are available online. A number of businesses are developing consent tools; we advise you assess other possible consent solutions appropriate for your business. There are a variety of options and tools available online and we advise that solutions should be assessed to ensure they can be implemented to comply with the regulations. In addition to this the collective of businesses listed above are here to offer support.

  • Next steps checklist for publishers

    • Publishers should assess how GDPR impacts their business and document the measures taken to comply with the rules.
    • Publishers should pay attention to ensuring transparency to consumers and decide the most appropriate legal basis for collecting and processing personal data from site visitors.
    • Publishers should assess and upgrade privacy policies and cookie notices to provide transparency and upgrade consent capture.
    • Publishers should seek their own legal advice. This communication should not be read as legal advice.
    • Publishers should refer to their individual affiliate networks and platforms for any specific guidance or requirements to comply with GDPR.
    The GDPR signifies changes that all businesses will have to make and the impact on the industry at this stage is uncertain. However, these impacts can be mitigated with demonstrable understanding, effort and measures to comply with the rules. Whilst the deadline is 25th May 2018 it marks the start of this new age of data privacy. It is important that you understand your obligations as a business for the GDPR and make any necessary amendments to be compliant.

GDPR Key Changes

  • New and strengthened rights for individuals

    At its heart, the GDPR aims to give people more power over how their data is used. As such, it creates some new rights for individuals, and strengthens others that already exist under the current Data Protection Act (DPA). The rights may differ based on which processing ground you will be using (consent, legitimate interest, etc.) so please make sure to understand how each of these rights affect your business. These rights include: The right to be informed Emphasises the need for transparency of how personal data is used by a business. This information, typically provided in a privacy notice on a website, for example, must be concise, easily accessible, free of charge and written in plain language. The right of access Individuals are entitled to access their personal data from businesses, free of charge (unless the request is unfounded, excessive or repetitive). The right to rectification People are entitled to have personal data rectified if it is incorrect. The right to erasure Otherwise known as ‘the right to be forgotten’ – people can request to have their data deleted when it is no longer necessary. The right to restrict processing Similar to the DPA, people have the right to ‘block’ the processing of personal data. The right to data portability Individuals have the right to obtain and reuse their personal data across different services. The right to object People have the right to object to their data being processed in certain circumstances, including its use for direct marketing. If you process data for direct marketing: You must stop processing someone’s data immediately, with no exceptions, if someone objects Your users must be told of their right to object “at the first point of communication” as well as in your privacy notice Their right to object must be “presented clearly and separately from other information”

  • Rights in relation to automated decision making and profiling

    Particularly likely to have implications for marketing, these rights are designed to safeguard individuals against risks relating to damaging decisions made as a result of automated processing of data. ‘Profiling’ is defined by the GDPR as automated processing to analyse or predict aspects of a person, for example personal preferences, behaviour or location – elements often used in audience generation for display campaigns, for example. If you process personal data for profiling, there are a number of things that must be in place for GDPR compliance. For example: You must make sure processing is transparent by providing information about the logic involved Appropriate mathematical procedures must be used for the profiling You must take appropriate measures to minimise and correct errors

  • Controllers and processors

    The GDPR applies to both controllers (those who say how and why personal data is processed) and processors (those acting on the controllers’ behalf). The obligations for processors – for example, being required to maintain records of personal data and processing activities – are new under the GDPR.

  • Territorial scope

    The impact of the GDPR is global. The GDPR also sets restrictions on how personal data is transferred outside of the EU – either to a third country or to an international organisation. Data may only be transferred if certain criteria are met – for example, the third country or international organisation in question must offer “an adequate” level of data protection.

  • Broader definition of ‘personal data’

    The GDPR makes it clear that ‘personal data’ extends beyond the obvious, such as name and address. It may also include things such as IP address, which might be used by marketers to determine a person’s location when they visit a website and tailor information accordingly, for example.

  • Increased accountability

    The GDPR introduces new accountability requirements, meaning that businesses must be able to show how they are GDPR-compliant through documentation of data processing activities.

GDPR FAQs & Key Considerations

  • What are the GDPR data protection principles?

    As well as the legal bases for processing, there are six data protection principles set out in the GDPR that each processing activity must comply with. In simple terms, these are:
    Fair and transparent – A person needs to know why and how his or her data will be used
    Purpose limitation – Data can only be used for the reason it was collected
    Data minimisation – No more data can be collected than necessary for its purpose
    Storage limitation – If the data is no longer necessary, it must be deleted
    Confidentiality and integrity – Data must be stored in a secure manner
    Accountability – Compliance with the data protection principles must be provable

  • What are the different required legal bases for processing data?

    The GDPR sets out the need for each data processing activity to have a ‘legal basis’. This means that if you process personal data, it must be based on one of the following conditions:
    Consent – The individual has given clear, informed agreement to the processing of their data
    Contract – Processing a person’s data is necessary to fulfil a contract
    Legitimate interest – Processing an individual’s personal data is strictly necessary for the business, for example to prevent fraud or because of a criminal investigation
    Legal obligation and public interest – Processing personal data is necessary to comply with a legal obligation or to carry out a particular task in the public interest Not only must you understand which legal basis applies to your processing of personal data, but you must also document and be able to prove this basis.

  • What do businesses need to do to be compliant?

    This is a difficult question to answer as every business is different. You may only need to make minor changes to your current data processing policies, whereas others might need to make more significant changes. At a very broad level, the path to GDPR compliance can be thought of as a four-stage process:

  • How is Adwents being GDPR compliant?

    We at Adwents take privacy and security very seriously. As such, Adwents has been working on our GDPR compliance strategy for over a year to meet as many of the requirements as possible by the enforcement date of May 25, 2018. We have identified four phases relevant to our business through which to be GDPR ready: Mapping/Templates, Strategy, Policies and Implementation. Our efforts are ongoing and will continue well beyond the GDPR enforcement date to make Adwents a leader in this space, promoting integrity, transparency and trust.

Does the GDPR Apply to Your Business?

  • Does your business collect, use or process personal data?

    If your business doesn’t collect, use or process personal data in any way, then straight away you know that the GDPR doesn’t apply. Be sure to remember, however, that just because the GDPR isn’t applicable, this doesn’t mean that other privacy protection laws won’t have an impact. It’s also worth noting that the scope of ‘personal data’ is very broad and covers things that may not be obvious. Not only does it include things like name and address, but it may also include identifiers such as IP address and other things that might not be obvious if you’re unfamiliar with EU privacy law.

  • Is an office of your business in the EU?

    If your business collects, uses, or processes personal data and has an office in the EU, then you will be required to be GDPR compliant.

  • Does your business offer services to the EU?

    Even if you do not have an office in the EU, the GDPR will apply to your business if you offer services to anyone in the region. If you’re not sure if your business offers services to the EU, consider the following:

    Do you provide your service in any European language?
    Does your service use or accept any European currencies?
    Do you specifically address EU customers?

    If the answer is ‘yes’ to any of these questions, then it is likely that the GDPR will apply to you. Please note – this list isn’t exhaustive.

  • What does Brexit mean for the UK and GDPR?

    For businesses based in the UK, the decision to leave the EU has prompted questions about whether the GDPR will apply, and to what extent.

    The UK government has made it clear that it intends to honour the GDPR in its ‘The Exchange and Protection of Personal Data – A Future Partnership Paper’:

    *The GDPR is due to come into force in May 2018 – before the UK leaves the EU
    *The UK played a “full and active part” in negotiations for the GDPR, and therefore the regulations reflect a key number of UK priorities
    *As such, the government has announced that it “will ensure that the UK’s [data protection] framework is aligned with the updated EU legal framework at the date of withdrawal” – i.e. the UK intends to honour the GDPR. Therefore, it is likely that UK businesses will need to continue to adhere to similar, if not the same, data protection regulation as the EU

  • GDPR: EU regulations, global impact

    All of these points demonstrate that all global businesses need to care about the GDPR, not just those based in the EU. If your business comes into contact or uses data associated with anyone in the EU, it’s likely the regulations will apply.
    Even if the GDPR doesn’t apply to your business, it’s important to be confident that that’s the case, rather than assuming it doesn’t apply simply based on where your business is located.