Frequently Asked Questions GDPR
The EU General Data Protection Regulation (GDPR) is a comprehensive privacy regulation that will replace the current Data Protection Directive 95/46/EC, with an implementation date of May 25, 2018. In April 2016, after more than four years of negotiation, the European Union approved GDPR, with the goals of strengthening and harmonizing data protection regulation for individuals across the EU and strengthening the digital economy in the EU. GDPR is directly applicable to member states without the need for implementing national legislation.
For more information and resources about GDPR, visit the IAB Europe’s GDPR informational website.
GDPR became enforceable beginning on May 25, 2018.
GDPR applies to any business, whether or not it is based in the EU, that processes the personal data of EU citizens. GDPR applies to these businesses even if the goods or services that they offer are free.
Today’s consumers are starting to realise that they need to share some of their personal data with organisations to get the service that these organisations provide, such as free website content. One of the primary objectives of the EU Commission was to give EU citizens back the control of their personal data.
In addition, the Commission wanted to simplify the regulatory environment for international business by unifying the regulation within the EU. By harmonising the data protection regulations, the intention of GDPR is to make it easier for companies to comply with these regulations.
The definition of personal data under GDPR is broad and intentionally all-encompassing. In particular, pseudonymous data is defined as a sub-category of personal data, and still triggers application of GDPR. Pseudonymous data includes cookies and other device and online identifiers (some IP addresses, IDFA, AAID, etc.) that can be used to single out an individual, even if you do not know that individual’s specific identity (for example, even if you don’t know the individual’s name or address). Online identifiers are explicitly called out as examples of personal data under GDPR.
Due to this broad definition of personal data, it is highly likely that data being processed in the online advertising ecosystem falls within the definition of personal data, and is regulated under GDPR. Quantcast collaborated with the IAB Europe and other industry experts on IAB Europe’s paper on the Definition of Personal Data. We highly recommend that you review it for a deeper dive on the definition of personal data.
What obligations does GDPR introduce in relation to the individual’s right to access and delete data about themselves?
Under GDPR, individuals can ask for access at “reasonable intervals”, and controllers must generally respond within one month. GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
Individuals have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it.
In addition, under GDPR, individuals have the right to revoke their consent at any time. Individuals have the right to have their personal data deleted “without undue delay”, at their request.
GDPR introduces a new standard for consent. Where a company relies on consumer consent to process personal data, the process to obtain such consent must meet the higher standard of GDPR.
The current draft guidance from the UK ICO describes the requirements for consent under GDPR, including the following:
- Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
- Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
- Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
- Consent should be obvious and require a positive action to opt in.
- There is no set time limit for consent. How long it lasts will depend on the context.
- You should review and refresh consent as appropriate.
- Evidence that consent has been obtained will have to be recorded, and organisations that have no direct relationship with the individual will have to rely on their partners to obtain consent on their behalf.
Quantcast is actively working with the IAB Europe on the Transparency & Consent Framework — an open, and non-commercial standard that facilitates obtaining and managing consumer consent. Quantcast has built Quantcast Choice, a consumer-facing consent solution, based on the IAB Europe’s standard. Quantcast Choice is a free Consent Management Provider (CMP) solution that enables publishers and advertisers to acquire, manage and propagate user consent across the digital content and ads ecosystem.
For technical details on the IAB standard, or for more information on Quantcast Choice, visit here.
Quantcast, or any other IAB approved Consent Management Provider (CMP), provides publishers and advertisers with a mechanism to obtain consent, and then control which third-party vendors can request consent to track users of their websites and apps. Read this white paper outlining the function of a CMP and the Quantcast Consent implementation.
If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify a data protection authority (for instance: the Information Commissioner’s Office in the UK) within 72 hours of your organisation becoming aware of it.
While you can’t be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You should also detail the potential consequences for those people and what measures you have taken or plan to take.
Entities that do not comply with GDPR requirements may be fined up to $20mm or 4% of their worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.