With just weeks to go until GDPR legislation comes into place on 25th May 2018, companies need to start putting their plans in place to address this new legislation, if they haven’t done so already. So, we’ve put together this handy guide on all things GDPR to help publishers get the ball rolling…
What is the General Data Protection Regulation, or better known as GDPR?
GDPR is a new EU regulation that was put in place to strengthen data and privacy rights for EU individuals.
When does it go into effect?
This year! May 25th, 2018 and there is no grace period since the notice of the regulation was released in April 2016.
Who does it apply to?
All publishers, websites and content owners will need to comply with the regulation.
Does it only apply to EU based businesses?
“The GDPR not only applies to organisations located within the EU, but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.” – read more at the GDPR website
What are the key takeaways for publishers?
- An EU reader, regardless of where the publisher is located, has rights to say no to collection of their personal information
- The definition of personal information has expanded to include cookies and IP addresses among many others trackable activities
- Consent for processing EU personal data must be obtained from users
- Child protection applies to under 16. (different from the US’s COPPA which is under 13)
What is Sovrn doing to protect personal information and the use of this?
Sovrn has always been invested in the responsible and transparent collection and use of data. Sovrn is committed to protecting personal, private, confidential and sensitive data and the systems and processes that store this data.
What are the implications of not being compliant?
Class action lawsuits and severe fines of 20 million Euros or 4 percent of annual global turnover, whichever of both is highest.
How will Brexit impact London publishers and readers?
The UK government has indicated that it intends to implement the equivalent regulation. How this continues to evolve will need to be monitored, but we recommend applying the same measures.
What questions should you be asking and GDPR Steps to Take
Determine who are data controllers and data processors on your page.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Determine what you feel comfortable for consent – read the Article 29 Working Party’s Consent Guidance (WTF is Article 29 Working Party?)
Understand what data you collect and who you allow to collect data:
- Look at your existing partners
– Look at analytics on the page
– Evaluate your fraud prevention
– Evaluate your Advertising partners
– Review your contracts with vendors
- What data are you internally collecting?
– Data inventory/mapping
– Where is the data coming from?
– Where is the data going and being stored?
– Ensure that you have documentation
- Do you enable others to collect personal data?
– Yes! Sovrn and our partners do. We are working to help you become compliant with this aspect.
- What % of traffic comes from the EU? How will this impact your revenue after May 25th?
– It’s important to disclose what data you collect and why and who you enable to collect data through your site
Tools you can use:
IAB UK GDPR Advice
DigiDay GDPR Content