What Is GDPR?
The GDPR establishes new requirements on companies that collect, use, and share data about EU citizens. As of May 25 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not. Companies that fail to comply with these new rules could be subject to fines as high as 4% of annual global revenue.
Several key definitional changes that impact the digital advertising industry include:
- A broader definition of personal data that includes IP addresses and cookie identifiers: Article 4.1: “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
- A higher standard for establishing valid consent: Article 4.11: “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
- The introduction of the concepts of profiling and automated decision making: Article 4.4: “profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
Companies must provide users the ability to exercise the following rights over their personal data:
- Right of Access (Article 15): Upon request by a data subject, companies must provide information about the purposes of the processing and the categories of the data processed, among other information. If asked, companies must also provide data subjects with a copy of their personal data in a structured, commonly used and machine-readable format for a reasonable fee.
- Right to Rectification, Erasure and Restriction (Articles 16-20): Companies must allow data subjects the ability to correct inaccuracies in their personal data, withdraw consent and erase their data, and restrict the processing of their data if the accuracy of the data is challenged.
- Right to Object to Profiling and Automated Decision-Making (Articles 21-22): A data subject may object to processing of their personal data based on profiling or automated-decision making. In case of an objection, companies must cease any further processing unless the company can demonstrate legitimate grounds for processing that override the interests, rights and freedoms of the data subject.
How will GDPR affect you and your business?
If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe.
Fines can be high for non-compliance with GDPR: Serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue, whichever is higher. Advertising identifiers are now explicitly within the scope of personal data and companies that collect and use these identifiers must demonstrate a valid legal basis for doing so.
New obligations for demonstrating valid consent will require companies to go beyond existing “cookie banners”.