(Last updated 30 May 2017)
Ever since the European Commission first drew up plans for an update to Europe’s data protection rules, we’ve aimed to help members understand what the new law means to their businesses.
However, offering a helping hand to advise businesses what processes to put in place to comply with the GDPR has been a much more challenging task altogether. The GDPR is no stranger to ambiguity and littered with grey areas that could have far reaching consequences for our industry. We first proposed ‘five things to consider now’ in our members briefing which we published in the wake of IAB Engage back in October 2016 but understand that as the deadline approaches, further industry guidance will become increasingly important. And although open questions remain, the good news is that things are slowly starting to become clearer.
As such, you can find a new GDPR checklist below which has been inspired by the ICO’s own ’12 steps to take now’ but tailored to the digital advertising industry to help towards compliance. We aim to update the checklist regularly so please do make sure to come back. We recommend that you use our members briefing alongside the list.
Whatever stage of the compliance journey you’re in, we want to hear from you so please do email us at firstname.lastname@example.org for any questions you have on the GDPR or to share your views on how your preparations for the new rules are progressing.
The GDPR comes with hefty fines – up to 4% of global annual turnover. But this isn’t the only reason senior decision makers need to be aware of the new law. Some processes – and maybe even products – will have to change as a result of the GDPR. For many digital advertising businesses, this is the first time they will have to comply with a set of data protection rules as extensive as the GDPR.
We recommend that you bring together different departments to raise awareness across all aspects of your business and draw up a compliance roadmap involving members of staff from all relevant departments. And don’t forget in your efforts that the GDPR will apply to all companies doing business in the EU, so make sure your colleagues overseas – particularly those based in the US – are involved and fully up to speed.
Accountability is a central theme that runs throughout the GDPR. Key to being accountable is to document what personal data you hold and to identify any areas of risk. You can start with that now. Remember that the definition of personal data included in the GDPR covers more than personally identifiable information (PII). This is important to recognise as a number of data points that many in the industry currently consider to fall outside the scope of data protection legislation, will now be captured by the GDPR. That means that you shouldn’t assume that unique identifiers (e.g. cookie IDs or advertising IDs) are ‘anonymous’ data.
As such, many IAB members may find it simplest to treat all online identifiers as personal data, so make sure you understand where the data comes from and get a clear picture of who you share it with. You may want to consider running an information audit to help with this exercise and any ongoing monitoring of your data practices.
Organisations require a legal basis to lawfully process personal data, including for collecting the data in the first place. The GDPR offers six legal bases:
- Legal compliance (with another law)
- Protecting the vital interests of a person
- Public interest
- Legitimate interest
The two legal bases most commonly used in digital advertising are consent and legitimate interest. As such, think of the various ways in which you process data and identify which legal basis best matches the types of processing you carry out. In some instances, you may find it useful to use a combination of consent and legitimate interest, depending on what kind of processing you intend to do or whether you want to process the data for another purpose.
It is important to remember that under the current ePrivacy Directive (‘the cookie law) you have to use consent to access and/or store information on a user’s device. The European Union is currently reviewing the ePrivacy Directive which may lead to some changes to those requirements. Please visit the IAB’s policy page for data & privacy for the latest updates on this.
Consent play a prominent role in the GDPR. However, consent is only one of six legal bases available to companies to process personal data as set out above and in some cases isn’t the most appropriate legal basis. The GDPR strengthens the conditions for consent compared to existing rules. In general, consent has to be freely given, specific, informed and unambiguous and requires a positive action from the individual to be valid. If you process sensitive personal data, consent will have to be explicit.
Above all, the burden of proof is on companies to show that consent has been obtained lawfully, so being able to verify consent where relied upon as a legal basis will be very important, particularly if another organisation obtains consent on your behalf. The ICO has recently published draft guidance on consent which will soon be finalised. As soon as the final version is available (expected in June), we will link to it here.
The GDPR introduces the concept of pseudonymisation for the first time into EU data protection law. We understand pseudonymisation to incorporate two related concepts. Pseudonymisation can be a process that data can go through – for example encryption, hashing or tokenisation – to ensure the data is no longer directly linked to an individual. Personal data that does not have any directly identifying details could also be pseudonymised at the point of collection. For example, a randomised cookie ID that allows a user to be recognised but not directly identified.
In either case, companies must remember that whatever form of pseudonymisation you use, the data remains personal data under the GDPR. That said, there are obvious benefits to pseudonymisation as a privacy and security-enhancing measure, not least as companies that pseudonymise data are alleviated of some of the GDPR’s obligations (see more under point 7 – individual rights). Pseudonymisation can also help in the balancing test you have to go through if you want to rely on legitimate interest for any of your personal data processing (see point 3 above).
Transparency is another core element of the GDPR. Privacy policies and notices have long been used in our industry to communicate to users how and why organisations use data. The GDPR requires different levels of detail depending on whether you obtain the data directly from the individual or not. In all cases, your notice will – amongst others – have to be concise, easily accessible and written in clear and plain language. It will also have to include the legal basis you use and explain your legitimate interest in processing personal data if that is the or one of the legal bases you operate under.
As such, have a look now at the privacy notices you currently use and analyse what needs changing and begin drafting those changes if you haven’t yet. It’s key that every organisation involved in collecting and using data disclose this information, starting with publishers all the way through each relevant third party.
The ICO’s guidance on privacy notices, transparency and control is a great starting point. Also make sure to consult the section on ‘the right to be informed’ in the ICO’s GDPR overview.
The GDPR affords individuals extensive rights. These are:
- The right to be informed (see point 6 above)
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability (see Article 29 Working Party guidance for more details)
- The right to object (the right to opt-out)
- The right not to be subject to automated decision making, including profiling
Check your processes to ensure that you can adequately respond to any requests you might receive from individuals. Remember that if you pseudonymise data, you will be relieved from the rights to access, rectification, erasure, restrict processing and data portability, as long as the individual doesn’t actively provide additional information for you to be able to identify them (and you expect a low level of requests).
The GDPR maintains the notions of ‘data controller’ and ‘data processor’ found in current data protection law to distinguish between the different roles organisations play in the processing of personal data. As a reminder, data controllers are organisations that decide – either alone or jointly with other controllers – who and why personal data is processed, whereas data processors act on behalf of the data controller. This means that only the controller is held liable for data protection compliance under current rules, not the processor.
Importantly, the GDPR extends statutory obligations to data processors. This means that data processors may be subject to enforcement action from Data Protection Authorities and any potential fines (remember, up to 4% of global annual turnover) from May 2018. Under the GDPR, obligations for data processors include:
- Data Agreements – processors must have a written contract (or other legal act) in place with controllers. This has to set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller
- Data security – processors must take appropriate security measures and inform controllers without ‘undue delay’ in the event of a data breach (see below).
- Sub-processors – processors can only use sub-processors with the prior written authorisation of the controller. Vendors will also have to give the data controller the opportunity to object to any changes in the use of sub-processors.
- Controller instructions – processors may only process personal data in accordance with the instructions of the controller.
- Accountability – processors must maintain records of data processing activities and make these available to the relevant Data Protection Authority on request.
- Data Protection Officers – processors must, in certain circumstances, designate a data protection officer (see more below).
- Cross-border transfers – processors must comply with restrictions regarding cross-border transfers (see more below).
Given that both data controllers and processors will have obligations under the GDPR, it is important for companies to clarify their roles. Even during the process of a brand campaign, these roles can change.
Whilst drafted for current rules, we recommend you consider the ICO guidance on the issue to help in that exercise, during which you may, for example, want to figure out your role in audience segmentation. Do you do it alone or only under instruction from, for example, brands or publishers? Does it differ from client to client? In any case, start working on contracts with your partners now and review those that are already in place to ensure they are in line with GDPR requirements.
Personal data breaches can have far reaching consequences, both in reputational and financial terms. You should therefore make sure you put in places processes that allow you to detect, report and investigate a breach. Compared to existing rules, the GDPR requires data controllers that has suffered a breach where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach, to notify their Data Protection Authority – the ICO in the case of the UK. Data processors are required to notify the controller without undue delay of any breach they have incurred (see more about data controllers and data processors above). Start now to identify those types of data that may trigger the notification requirement. The information audit mentioned under point 2 may help you achieve that.
Privacy Impact Assessments (PIAs) – or Data Protection Impact Assessments (DPIAs) as the GDPR calls them – play a significant role in the new rules. Long considered good practice, it is now a legal requirement to run a PIA in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals. It is currently unclear whether this requirement will apply to processing pseudonymous data.
The GDPR also codifies the principles of privacy by design and default into law. In both cases, carrying out a PIA can help you assess how to incorporate these two principles into any new products or services you want to bring to market. The ICO has produced guidance on Privacy Impact Assessments (PIAs) which, again, provides a great starting point for this exercise.
The GDPR stipulates that one of the criteria to decide whether you need to designate a Data Protection Officer (DPO) is where ‘the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale’.
If this applies to your company, then you will have to appoint someone with the responsibility for your GDPR compliance. You will also have to think where in the business structure and governance this person will fit in. To help with this, consult the Article 29 Working Party’s guidance on DPOs.
Most businesses in our industry operate across Europe. Where this is the case you need to identify which Data Protection Authority will be your ‘lead authority’. This is particularly relevant in the case of Brexit as you may not be able to designate the ICO as your lead authority depending on the future role of the ICO within the European data protection framework. In those circumstances, UK-headquartered businesses are unlikely to benefit from the GDPR’s notion of a ‘one-stop-shop’ and would have to deal with multiple Data Protection Authorities across the continent. The Article 29 Working Party’s guidance on lead supervisory authority is useful to help with the exercise of determining your lead authority.
Importantly, you should also think about your options for transferring data to countries outside the EU. You might have to do this for the first time as prior to the GDPR, you may have not processed personal data.
The GDPR offers a number of options to transfer data across borders. Transferring to countries that the European Commission considers to provide an ‘adequate’ data protection standard is seamless. The list of countries currently enjoying this status is available here and include the EU – U.S. Privacy Shield. Other options exist, including the use of standard contract clauses.
It remains to be seen if the UK will also be considered ‘adequate’ in data protection terms post Brexit or if another solution will be found. The UK Government will also consider an agreement with its US counterparts to ensure the continued flow of data between the two countries as the UK won’t be able to benefit from the EU – U.S. Privacy Shield once the country has exited the EU.