What is the GDPR?
The EU General Data Protection Regulation (GDPR) is a comprehensive privacy regulation that will replace the current Data Protection Directive 95/46/EC, with an implementation date of May 25, 2018. In April 2016, after more than four years of negotiation, the European Union approved the GDPR, with the goals of strengthening and harmonizing data protection regulation for individuals across the EU and strengthening the digital economy in the EU. The GDPR is directly applicable to member states without the need for implementing national legislation.
When does the GDPR come in effect?
The GDPR will be enforceable beginning on May 25, 2018.
To whom does the GDPR apply?
The GDPR applies to any business, whether or not it is based in the EU, that processes the personal data of EU citizens. The GDPR applies to these businesses even if the goods or services that they offer are free.
Why did regulators want a GDPR in place?
Today’s consumers are starting to realise that they need to share some of their personal data with organisations to get the service that these organisations provide, such as free website content. One of the primary objectives of the EU Commission was to give EU citizens back the control of their personal data.
In addition, the Commission wanted to simplify the regulatory environment for international business by unifying the regulation within the EU. By harmonising the data protection regulations, the intention of the GDPR is to make it easier for companies to comply with these regulations.
What changes does the GDPR introduce about the definition of personal data?
The definition of personal data under the GDPR is broad and intentionally all-encompassing. In particular, pseudonymous data is defined as a sub-category of personal data, and still triggers application of the GDPR. Pseudonymous data includes cookies and other device and online identifiers (some IP addresses, IDFA, AAID, etc.) that can be used to single out an individual, even if you do not know that individual’s specific identity (for example, even if you don’t know the individual’s name or address). Online identifiers are explicitly called out as examples of personal data under the GDPR.
Due to this broad definition of personal data, it is highly likely that data being processed in the online advertising ecosystem falls within the definition of personal data, and is regulated under the GDPR. Quantcast collaborated with the IAB Europe and other industry experts on IAB Europe’s paper on the Definition of Personal Data. We highly recommend that you review it for a deeper dive on the definition of personal data.
What obligations does the GDPR introduce in relation to the individual’s’ right to access and delete data about themselves?
Under the GDPR, individuals can ask for access at “reasonable intervals”, and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
Individuals have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it.
In addition, under the GDPR, individuals have the “right to be forgotten”. Individuals have the right to have their personal data data deleted “without undue delay”, at their request.
No, the proposed ePrivacy Regulation does not prohibit cookies. The expectation across industry is that the new ePrivacy Regulation will allow individuals to consent to the setting of cookies on their computers, although the requirements around that consent will likely be different than they are under the current ePrivacy Directive. Quantcast is engaged with industry and plans to be compliant with the ePrivacy Regulation once it is finalized and comes into effect.
How can companies obtain consent for the purpose of advertising?
The GDPR introduces a new standard for consent. Where a company relies on consumer consent to process personal data, the process to obtain such consent must meet the higher standard of GDPR.
The current draft guidance from the UK ICO describes the requirements for consent under the GDPR, including the following:
Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
Consent should be obvious and require a positive action to opt in.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Evidence that consent has been obtained will have to be recorded, and organisations that have no direct relationship with the individual will have to rely on their partners to obtain consent on their behalf. For Quantcast, this means relying on our Measure and Advertise partners, who have a direct interface with the individual on their websites, to seek consent on Quantcast’s behalf.
Quantcast will, of course, work with its clients (advertisers and publishers) to make the process of obtaining consent easy and smooth for customer experience.
What actions should be taken in the case of a data breach?
If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify a data protection authority (for instance: the Information Commissioner’s Office in the UK) within 72 hours of your organisation becoming aware of it.
While you can’t be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You should also detail the potential consequences for those people and what measures you have taken or plan to take.