As we are all aware the GDPR (General Data Protection Regulation) comes into force on 25th May 2018. Due to the importance of complying with the regulation, a number of UK affiliate companies have collaborated to ensure publishers receive clear, industry-wide guidance and a consistent message from companies they work with.
The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of personal data across all EU markets. Think of it as a new set of data laws fit for the digital age.It replaces current national data protection laws and the existing EU data protection framework. The GDPR is designed to give consumers more control of their personal information and applies identically across Europe. Regardless of the UK’s future relationship with the EU, the British Government has stated it intends to implement the legislation equally alongside EU member nations.
Given the potentially significant impact on all forms of online advertising the industry has collaborated to create general standards and approaches. In November 2017 IAB Europe announced a technical standard for online consent and industry stakeholders are building a consent tool which is intended to ensure GDPR and ePrivacy Directive compliance in time for the May deadline. If you choose to feature a consent solution on your website you may be able to use free versions that are available online. A number of businesses are developing consent tools; we advise you assess other possible consent solutions appropriate for your business. There are a variety of options and tools available online and we advise that solutions should be assessed to ensure they can be implemented to comply with the regulations. In addition to this the collective of businesses listed above are here to offer support.
At its heart, the GDPR aims to give people more power over how their data is used. As such, it creates some new rights for individuals, and strengthens others that already exist under the current Data Protection Act (DPA). The rights may differ based on which processing ground you will be using (consent, legitimate interest, etc.) so please make sure to understand how each of these rights affect your business. These rights include: The right to be informed Emphasises the need for transparency of how personal data is used by a business. This information, typically provided in a privacy notice on a website, for example, must be concise, easily accessible, free of charge and written in plain language. The right of access Individuals are entitled to access their personal data from businesses, free of charge (unless the request is unfounded, excessive or repetitive). The right to rectification People are entitled to have personal data rectified if it is incorrect. The right to erasure Otherwise known as ‘the right to be forgotten’ – people can request to have their data deleted when it is no longer necessary. The right to restrict processing Similar to the DPA, people have the right to ‘block’ the processing of personal data. The right to data portability Individuals have the right to obtain and reuse their personal data across different services. The right to object People have the right to object to their data being processed in certain circumstances, including its use for direct marketing. If you process data for direct marketing: You must stop processing someone’s data immediately, with no exceptions, if someone objects Your users must be told of their right to object “at the first point of communication” as well as in your privacy notice Their right to object must be “presented clearly and separately from other information”
Particularly likely to have implications for marketing, these rights are designed to safeguard individuals against risks relating to damaging decisions made as a result of automated processing of data. ‘Profiling’ is defined by the GDPR as automated processing to analyse or predict aspects of a person, for example personal preferences, behaviour or location – elements often used in audience generation for display campaigns, for example. If you process personal data for profiling, there are a number of things that must be in place for GDPR compliance. For example: You must make sure processing is transparent by providing information about the logic involved Appropriate mathematical procedures must be used for the profiling You must take appropriate measures to minimise and correct errors
The GDPR applies to both controllers (those who say how and why personal data is processed) and processors (those acting on the controllers’ behalf). The obligations for processors – for example, being required to maintain records of personal data and processing activities – are new under the GDPR.
The impact of the GDPR is global. The GDPR also sets restrictions on how personal data is transferred outside of the EU – either to a third country or to an international organisation. Data may only be transferred if certain criteria are met – for example, the third country or international organisation in question must offer “an adequate” level of data protection.
The GDPR makes it clear that ‘personal data’ extends beyond the obvious, such as name and address. It may also include things such as IP address, which might be used by marketers to determine a person’s location when they visit a website and tailor information accordingly, for example.
The GDPR introduces new accountability requirements, meaning that businesses must be able to show how they are GDPR-compliant through documentation of data processing activities.
As well as the legal bases for processing, there are six data protection principles set out in the GDPR that each processing activity must comply with. In simple terms, these are:
Fair and transparent – A person needs to know why and how his or her data will be used
Purpose limitation – Data can only be used for the reason it was collected
Data minimisation – No more data can be collected than necessary for its purpose
Storage limitation – If the data is no longer necessary, it must be deleted
Confidentiality and integrity – Data must be stored in a secure manner
Accountability – Compliance with the data protection principles must be provable
The GDPR sets out the need for each data processing activity to have a ‘legal basis’. This means that if you process personal data, it must be based on one of the following conditions:
Consent – The individual has given clear, informed agreement to the processing of their data
Contract – Processing a person’s data is necessary to fulfil a contract
Legitimate interest – Processing an individual’s personal data is strictly necessary for the business, for example to prevent fraud or because of a criminal investigation
Legal obligation and public interest – Processing personal data is necessary to comply with a legal obligation or to carry out a particular task in the public interest Not only must you understand which legal basis applies to your processing of personal data, but you must also document and be able to prove this basis.
This is a difficult question to answer as every business is different. You may only need to make minor changes to your current data processing policies, whereas others might need to make more significant changes.
At a very broad level, the path to GDPR compliance can be thought of as a four-stage process:
We at Adwents take privacy and security very seriously. As such, Adwents has been working on our GDPR compliance strategy for over a year to meet as many of the requirements as possible by the enforcement date of May 25, 2018. We have identified four phases relevant to our business through which to be GDPR ready: Mapping/Templates, Strategy, Policies and Implementation. Our efforts are ongoing and will continue well beyond the GDPR enforcement date to make Adwents a leader in this space, promoting integrity, transparency and trust.
If your business doesn’t collect, use or process personal data in any way, then straight away you know that the GDPR doesn’t apply. Be sure to remember, however, that just because the GDPR isn’t applicable, this doesn’t mean that other privacy protection laws won’t have an impact. It’s also worth noting that the scope of ‘personal data’ is very broad and covers things that may not be obvious. Not only does it include things like name and address, but it may also include identifiers such as IP address and other things that might not be obvious if you’re unfamiliar with EU privacy law.
If your business collects, uses, or processes personal data and has an office in the EU, then you will be required to be GDPR compliant.
Even if you do not have an office in the EU, the GDPR will apply to your business if you offer services to anyone in the region. If you’re not sure if your business offers services to the EU, consider the following:
Do you provide your service in any European language?
Does your service use or accept any European currencies?
Do you specifically address EU customers?
If the answer is ‘yes’ to any of these questions, then it is likely that the GDPR will apply to you. Please note – this list isn’t exhaustive.
For businesses based in the UK, the decision to leave the EU has prompted questions about whether the GDPR will apply, and to what extent.
The UK government has made it clear that it intends to honour the GDPR in its ‘The Exchange and Protection of Personal Data – A Future Partnership Paper’:
All of these points demonstrate that all global businesses need to care about the GDPR, not just those based in the EU. If your business comes into contact or uses data associated with anyone in the EU, it’s likely the regulations will apply.
Even if the GDPR doesn’t apply to your business, it’s important to be confident that that’s the case, rather than assuming it doesn’t apply simply based on where your business is located.