Frequently Asked Questions GDPR

The EU General Data Protection Regulation (GDPR) is a comprehensive privacy regulation that will replace the current Data Protection Directive 95/46/EC, with an implementation date of May 25, 2018. In April 2016, after more than four years of negotiation, the European Union approved GDPR, with the goals of strengthening and harmonizing data protection regulation for individuals across the EU and strengthening the digital economy in the EU. GDPR is directly applicable to member states without the need for implementing national legislation.

For more information and resources about GDPR, visit the IAB Europe’s GDPR informational website.

GDPR became enforceable beginning on May 25, 2018.

GDPR applies to any business, whether or not it is based in the EU, that processes the personal data of EU citizens. GDPR applies to these businesses even if the goods or services that they offer are free.

Today’s consumers are starting to realise that they need to share some of their personal data with organisations to get the service that these organisations provide, such as free website content. One of the primary objectives of the EU Commission was to give EU citizens back the control of their personal data.

In addition, the Commission wanted to simplify the regulatory environment for international business by unifying the regulation within the EU. By harmonising the data protection regulations, the intention of GDPR is to make it easier for companies to comply with these regulations.

The definition of personal data under GDPR is broad and intentionally all-encompassing. In particular, pseudonymous data is defined as a sub-category of personal data, and still triggers application of GDPR. Pseudonymous data includes cookies and other device and online identifiers (some IP addresses, IDFA, AAID, etc.) that can be used to single out an individual, even if you do not know that individual’s specific identity (for example, even if you don’t know the individual’s name or address). Online identifiers are explicitly called out as examples of personal data under GDPR.

Due to this broad definition of personal data, it is highly likely that data being processed in the online advertising ecosystem falls within the definition of personal data, and is regulated under GDPR. Quantcast collaborated with the IAB Europe and other industry experts on IAB Europe’s paper on the Definition of Personal Data. We highly recommend that you review it for a deeper dive on the definition of personal data.

Under GDPR, individuals can ask for access at “reasonable intervals”, and controllers must generally respond within one month. GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.

Individuals have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it.

In addition, under GDPR, individuals have the right to revoke their consent at any time. Individuals have the right to have their personal data deleted “without undue delay”, at their request.

No, the proposed ePrivacy Regulation does not prohibit cookies. The expectation across industry is that the new ePrivacy Regulation will allow individuals to consent to the setting of cookies on their computers, although the requirements around that consent will likely be different than they are under the current ePrivacy Directive.

Quantcast is an active part of the IAB Europe’s GIG that has developed the Transparency & Consent framework. Quantcast has developed Quantcast Choice — a free Consent Management Provider solution — based on the IAB’s open, non-commercial standard. Quantcast Choice is a GDPR compliant solution that enables publishers and advertisers to acquire, manage and propagate user consent across the digital content and ads ecosystem.

If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify a data protection authority (for instance: the Information Commissioner’s Office in the UK) within 72 hours of your organisation becoming aware of it.

While you can’t be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You should also detail the potential consequences for those people and what measures you have taken or plan to take.

Entities that do not comply with GDPR requirements may be fined up to $20mm or 4% of their worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.