GDPR

What is GDPR?

GDPR (General Data Protection Regulation) – is the all-encompassing Data Protection Regulation designed to harmonise rules across the EU. It applies to the UK whilst it remains part of the EU and will still apply in substance as Data Protection rules are aligned to fit with the EU post Brexit.

Does it impact non-EU scenarios?

GDPR aims to protect EU citizens and so if your business is collecting or processing data from EU citizens then the rules apply.

When does GDPR come into force?

GDPR will be enforceable as of 25 May 2018. As of that point businesses, institutions and other bodies that are regulated will need to be compliant.

Are there penalties for non-compliance?

Fines have been drastically increased from current data protection rules. Fines can be up to 4% of global turnover, or €20,000,000.

What are the key changes in the rules?

For a fuller view you should consult your national regulator or body that deals with data protection rules. The following are some of the key changes:

  • Data Subjects (consumers) obtain more rights over their personal data such as the right to be forgotten, right to data portability and right to object to how their data is processed
  • Data Processors have more defined obligations in respect of security, protecting data and meeting the rights of the data subject.
  • The scope of personal data is much broader meaning a lot more data may be defined as personal. This can include online identifiers used in adtech contexts such as IP addresses, cookie identifiers and Device IDs
  • Greater accountability and fines for Data Processors and Controllers
  • Breach notification rules change meaning there are specific rules and processes for reporting personal data breaches to the regulator.
  • Refinement of the rules around the legal basis for processing personal data. “Unambiguous Consent” will be required for some types of data processing carried out within the digital advertising context.

What are the legal basis for processing personal data?

There are 6 legal bases for processing personal data although not all of them will be applicable to online advertising. The full list is here (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/) . The key ones for the online advertising industry are:

  • Contract – where permission is granted by the Data Subject under an agreement/contract
  • Legitimate Interest – for this to apply a “balancing test” must be carried out to consider whether
    • individuals would reasonably expect their data to be processed
    • the processing that is undertaken is strictly necessary for the purpose in question
    • the processing is justified when balanced against the rights of the Data Subject
  • Consent – where the Data Subject has given clear, informed consent to process their data. The Data Subject must also be able to revoke consent.

Does online Advertising always need Consent to establish the legal basis for processing personal data?

Whilst consent may be required under GDPR, it depends on the context, nature of the data and the nature of data processing undertaken. Whilst legal advice should always be taken consent is not necessary so long as there is an alternative legal basis – such as Legitimate Interest or Contract.

In parallel to GDPR businesses also need to consider the ePrivacy Directive (cookie laws) which require consent for the use of many cookies. Whilst there remains uncertainty due to the hitherto incomplete regulatory process and lack of guidance the new GDPR rules may mean that the cookie laws become stricter and require unambiguous consent for the use of cookies.

Optimise’s position

Having assessed the regulations and followed associated guidance and commentary we believe that for our Affiliate Marketing and Rewards business we operate as a Data Processor. Any processing of personal data that we undertake is specifically to fulfil an agreed service for our Publishers and our Advertisers. Both Publishers and Advertisers own the relationship with their users and customers and effectively operate as Data Controllers.

The rules state that Data Controllers define the legal basis for processing personal data and not their Data Processors. The legal basis will vary from case to case depending on the overall relationship context with the data subject. Where Consent is considered necessary Optimise will take steps to ensure that its processing activities account for this. We are currently in the process of assessing the IAB Europe Consent Framework which we anticipate will become an important mechanism for Publishers and Advertisers to provide Optimise with a reliable signal to indicate whether or not Consent has been given. There will also be alternative mechanisms for this. Where we are notified that Consent has not been given then we will not process personal data.

See further information here regarding the IAB Europe Consent Framework www.advertisingconsent.eu

What is Optimise doing to prepare for GDPR?

Data protection and information security has always been extremely important to us and our systems and processes reflect this. Due to GDPR we have conducted a full review of our processing of personal data and we have taken a number of steps including:

  • Minimising our processing of personal data wherever possible- Adapting our technology to “treat” personal data accordingly with encryption, anonymisation and appropriate retention rules.
  • Ensuring that our tracking technology is flexible to mitigate and minimise the processing of personal data where needed and wherever this can be achieved
  • Ensuring that our staff and processes are updated
  • Implementing contracts with partners and suppliers to firm up responsibilities and accountabilities
  • Appointing a Data Protection Officer within the business.

Next steps

Our plan is to ensure that our preparations are all in place for May 25th 2018. Some key steps will include:

  • Understanding and integrating with the IAB Europe Consent framework so that we have a plausible means for accepting consent signals from our publishers and advertisers as and when necessary
  • Updating our Data Protection Agreements to clarify our activities as a Data Processor on behalf of Advertisers and Processors (Data Controllers)
  • Keeping up to date with regulatory and industry guidance as it becomes clearer. We may need to adjust our approach as things become more transparent

Resources

We anticipate that most of our Publisher partners and Advertisers will be well acquainted with guidance sources. We have found the following most helpful: