Get GDPR Compliant in 5 Steps
DOESN’T GDPR ONLY APPLY TO EUROPEANS?
The new GDPR law applies to any company currently handling personal data from individuals living in the EU. Even if you don’t directly advertise to Europeans, any personal data you have on them could result in a significant fine.
ALRIGHT, AND WHAT ARE THE CONSEQUENCES?
Significant. If your company is caught violating the GDPR, you will be fined 4% of your annual global sales or twenty million euros; whichever is the higher amount. Not only that, but you could face substantial consumer backlash and bad media coverage. Europeans care about their online privacy and if you’re caught violating it, that doesn’t look good for the brand.
OH, OKAY, GIVE ME THE GIST OF THIS NEW LAW THEN
GDPR is intended to replace out of date laws so that individuals have more control over their personal data. This entails that companies (including those in ad tech and publishing) are required to gain the approval of internet users for the use of their online identifiers (cookies, ad IDs).
Here, it’s important to distinguish between data controllers and data processors. A data controller is the entity that collects data from users whereas a data processor, typically a DMP, takes that collected data and organizes it. The data controller is required to obtain consent from the user and the data processor is required to verify that the controller they are receiving data from is obtaining proper consent as dictated by GDPR. If the data processor has contracted a data subprocessor involved, the data processor must inform the data controller. Some data processors are controllers themselves as they sometimes collect data as well. The line between controller and processor is not completely black and white.
The law essentially demands accountability and transparency in the entire ad supply chain. Here’s six key points.
CLEAR, TRANSPARENT CONSENT PRACTICES AND PRIVACY POLICIES
Consent policies are required to be easy to understand, avoiding legal language the average person doesn’t easily comprehend. The request for consent from the consumer must be given in a straightforward, easy-to-understand fashion that makes its clear that they are consenting to the processing of their data. Additionally, the consumer must be able to withdraw consent at any time.
THE RIGHT OF CONSUMERS TO ACCESS THEIR PERSONAL DATA
Consumers must be able to see their data that is being collected and for what purpose it is being used for. They also have to be able to access their data electronically and be able to give that data to another company if they desire.
THE RIGHT TO BE “FORGOTTEN”
Any consumer that wishes to have their personal data deleted has the right to demand its deletion and the end of its use altogether. Both companies and third parties must delete and cease using the data if it’s in their possession, including businesses outside the EU as mentioned previously. If a consumer withdraws consent, their data must also be deleted and use of it halted.
COMPANIES MUST STRUCTURE NEW SYSTEMS AND APPROACHES WITH A PRIVACY-FIRST MENTALITY, NOT WITH PRIVACY AS AN ‘ADD-ON FEATURE’
Companies are required to structure new systems for collecting data with a privacy-first mentality. Any data that is collected, stored, and processed must be necessary to a business and their operations. Personal consumer data that is collected but inessential to your business must be better protected as well.
COMPANIES MUST ALERT CONSUMERS WITHIN 72 HOURS OF A BREACH TAKING PLACE
If a data breach has occurred that could result in” a risk for the rights and freedoms of individuals”, consumers must be alerted within 72 hours of when the breach took place. This applies to both those companies collecting and processing data.
COMPANIES MUST ASSIGN A DATA PROTECTION OFFICER
Companies whose core business is to process and collect consumer data must assign a data protection officer. That DPO must be qualified for the position and report to the highest level of management.
OH GOD, WHAT DO I HAVE TO DO?
Have you considered panicking? Better yet, here are some concrete steps to take to calm those nerves and put your company on the right track.
SEEK LEGAL COUNSEL
When dealing with new legislation a lawyer is always handy. Another option is to seek a compliance consultant to ensure you are moving in the right direction.
CONDUCT A FULL DATA MAPPING
Time to review those logs of where the personal data is processed, stored and moved. Bring a good magnifying glass.
You still have that magnifying glass? All those partnerships of yours need to be reassessed to make sure all parties are compliant with GDPR. Make sure you feed your contract writers well; they will need the energy.