GDPR - Brace Yourselves, Tracking Changes are Coming
The EU’s General Data Protection Regulation (GDPR) is going to take effect in May. It shows a crackdown on data privacy and security and will lead to changes in data tracking for any business that operates in Europe. The changes lead to more consumer control over their data, and being caught unaware can lead to significant fines.
What’s Going On?
On May 25, 2018, a new law passed by the EU known as the General Data Protection Regulation is going to take effect. While this has been in discussion for a while and is built off of their pre-existing data protection and privacy laws, the GDPR is going to be much more explicit in what consent companies need to have before they collect and use data and how privacy breaches need to be enforced. Any company that does digital advertising, tracking, or otherwise to European consumers is going to have to follow the new guidelines. In truth, it is probably not long before the US laws will follow. With that in mind, below are some things to know about the GDPR and where we can get ahead.
What Do We Need to Know?
Definition of Personal Data
- According to Article 4 of the GDPR, personal data means “any information relating to an identified or identifiable natural person”. This can mean names, identification numbers, location data, online identifiers, or sensitive data (i.e. genetic or biometric data).
- In short, any type of data that can single out a person counts as personal data and is subject to the rules of the GDPR.
Rules and Fines
- Consent to track and gather data must be given by the user and separate from the terms and agreements of the website. This consent form must be presented up front and as an opt-in format.
- All customers or users must be notified of data or security breach within 72 hours of its occurrence. If you are a data processor, you must notify data controllers as soon as possible after a breach.
- Users must have the ability to view and edit data that is being tracked and concerns them, and all users have the Right to be Forgotten. This can be for any period of time or their entire internet history, and all companies MUST delete data without undue delay.
- Don’t follow the rules and you can be fined up to 4% of “annual global turnover” or 20 million euros, whichever is greater.
Are you a controller or a processor?
- A processor is any “person, public authority, agency or other body which processes personal data on behalf of the controller”
- A controller is any “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data”
These roles may switch depending on clients and customers, it is important to understand the distinction and where your company sits. Facebook, for example, sees itself as a data controller in most cases, as it controls the data within the activities within the Facebook domain. Yet Facebook is also a data processor for its advertisers and business partners, who then become the data controllers as they are the ones who determine what data is being processed and why.
What areas are going to be affected?
- Internal Operations
Some organizations are going to be required to appoint a Data Protection Officer if a “core activity consist of processing operations which require regular and systematic monitoring of data subjects on a large scale”. As more specifications come out about which companies will need a DPO, it is worth looking into what processes are in place to allow users to delete their data and how to show your organization is protecting data should the question be asked.
- Digital Advertising Agencies
The push for upfront consent to track data is going to affect audience targeting, but until the law goes into effect it is difficult to be sure exactly how tracking will change. In the meantime, it is worth working on a consent form for users to accept when the changes go into effect so data can still be tracked.
What Are Others Saying?
Most major companies (i.e. Microsoft, Facebook, and Google) are coming out and saying they are in full support of the GDPR regulations and working on how to best comply with the regulations. Facebook is planning to hire 20,000 employees that will focus on safety and security by the end of 2018 (Adweek), and both Facebook and Google have released privacy center features to allow users to edit who can see their data.
According to Digiday, “more marketers are treating GDPR as an evolution of existing data-privacy law, and not as a revolution”. Quantcast, an AI-driven audience behavior platform, recommends consulting with your legal team to fully understand the ramifications of your business and understanding assessing what controls are in place to not be caught off guard when the changes go into effect.
Should You Be Concerned?
While the GDPR might require changes to current data collection practices, it is too early to raise an alarm. There is still time before the May 25th deadline to check in on your processor and controller status. These changes will offer a new level of transparency in the digital world, something we at Tailwind hold as one of our core values. There will be a period of adjustment, as with all new regulations, but when the dust settles, we believe these changes will be a positive for our industry which is increasingly in need of some repaired trust.