Quick Q&A - General Data Protection Regulation (GDPR)

24/04/2017

What is the GDPR? Find out more below.

What is it?

The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of personal data across all EU markets. It replaces existing national data protection laws and comes into force from 25 May 2018.

The GDPR updates the existing EU data protection framework. From a consumer perspective, the GDPR aims to give individuals more control of their personal information.

Organisations will require a legal basis to process personal data. There are six legal bases available, but those most commonly used in the digital advertising sector are ‘consent’ and ‘legitimate interests’.

The GDPR strengthens the conditions for consent. Consent will need to meet very high standards (eg it cannot be bundled with T&Cs) to be relied on as a legal basis for processing personal data. The user will also need to give consent ‘unambiguously’ with an affirmative action. Processing ’sensitive’ personal data (e.g. racial or ethnic origin / sexual orientation) requires the user’s explicit consent. 

In all cases, evidence that consent has been obtained will have to be recorded, meaning organisations that have no direct relationship with the user will have to find a way to obtain consent indirectly.

The GDPR also introduces increased sanctions: organisations can be fined up to €20m or 4% of annual turnover (whichever is greater) if they breach the law.

Who does it affect?

The GDPR regulates the use of all personal data, including the way organisations collect, share and use data. If an organisation is processing personal data about a person who is in the EU (nb they do not have to be an EU national) then the new law applies, regardless of where the business is located. 

All organisations engaged in digital advertising – whether brand advertisers, agencies, advertising networks, data/technology businesses or publishers – will be impacted.

The GDPR also introduces special protection for children’s personal information: if an organisation collects information about a child and is relying on consent to process it lawfully then it will need a parent’s / guardian’s explicit consent where the child is under 16 years old.

When will things change?

The new GDPR legal framework comes into effect on 25 May 2018 (and will apply to the UK, despite Brexit). We advise all digital advertising businesses to familiarise themselves now with the new rules and what they will mean, so they can develop and implement a compliance roadmap before the deadline.

How is the IAB working with industry to address this? 

IAB UK has already produced a number of resources to help our members understand the GDPR and its impact on their businesses. These include a detailed GDPR briefing document; a GDPR FAQ; and a members’ only roundtable discussion with legal experts on GDPR.

Working with the Information Commissioner’s Office (ICO) and the Department for Culture, Media and Sport (DCMS), we have established a GDPR Working Group to help guide understanding of the new rules.

We will continue to provide more events and resources to support our members’ compliance with the GDPR ahead of it coming into effect in 2018.

Where can I find out more? 

The full text of the new law is available here.

The IAB’s detailed GDPR briefing document for the digital advertising industry

IAB FAQs on GDPR

UK Information Commissioner’s Office (ICO) - Overview of GDPR

UK Information Commissioner’s Office (ICO) - 12 preparatory steps

UK Information Commissioner’s Office (ICO) - what to expect and when

The EU Article 29 Working Party (EU guidance) 

Email any questions or comments you have to info@iabuk.net

Policy issues: