There are many ways in which GDPR could affect advertisers. So far, it seems the majority of focus has been on companies obtaining consent, rather than figuring out how exactly they will continue to work in the way they do, or indeed if they can continue and still be compliant with the regulations. In the world of digital online marketing, this causes much confusion and uncertainty for the future, but it’s not all bad news!
With the gut-wrenching worry of being fined up to €20 million, it is vitally important you know what needs to change in order to make sure you’re obeying the rules.
Luckily, if you do make any mistakes, there will be a written warning issued to you, and time to change your process before a fine is issued…so don’t panic!
Essentially, GDPR is there to protect everyone, not to make things difficult. It may require change, yes, but ultimately the goal is positive to ensure that data is secure and being used for the right purposes.
For advertisers, the main focus is making sure the data you keep has been obtained with specific consent, and that the owner knows what you will be using it for.
The good news is, that ad networks such as google and Facebook, have confirmed that they are 100% compliant with GDPR, giving publishers the option of whether or not to publish personalised ads. The fact is, people still want to see ads, just not ads that are irrelevant and only showing because they searched for it once on google. This shift will ensure that the ads we see are things we genuinely want to see, and that would be of general interest.
Although the use of personalised ads will decrease massively, as many companies will not have been able to generate the consent necessary to continue using them, it is believed that they will still exist, but on a much smaller scale.
This could cause the pricing of personalised ads to spiral upwards, making them a more premium product available to those who obtain consent.
The changes will bring about some concerning issues for the marketing industry, with a decrease in access to personal data, it is possible that the ability to target individuals based on personal data will be slowed, however, it’s just a way to develop safer, more secure ways of marketing to audiences in a way that will be interesting to them, and not an annoyance!
The EU General Data Protection Regulation, is put in place to ensure data privacy and is the most important change in data privacy in the past 20 years. The change is due to be enforced on 25th May 2018 at which time all regulations must be adhered to. For this reason, it is important that you are well prepared. Below we have highlighted some of the key changes that are likely to affect businesses of all sectors.
The GDPR applies to anyone who considers themselves a ‘controller’ or ‘processor’. A ‘controller’ is someone responsible for determining the purposes and means of processing personal data. A ‘processor’ is responsible for processing this data on behalf of the controller.
Processors are responsible, under new GDPR law to provide and maintain records of personal data and processing activities within your company. In the case of a breach, you will be held legally responsible so it is very important that this change is implemented as soon as possible, and kept up to date consistently.
The GDPR applies to any sort of ‘personal data’, relating to an identifiable person who can hence be directly or indirectly identified. It applies to both automated and manual filing systems where any personal data is available.
Even data that has been key-coded can fall within the boundaries of GDPR depending on how difficult the coding is to attribute to an individual.
The GDPR refers to special data as “special categories of personal data”, which include genetic and biometric data, which are processed to uniquely identify an individual.
The main, and most important change, is the Increased Territorial Scope. Regardless of the companies location, any data of EU citizens being processed will have to adhere to the GDPR. The GDPR makes it very clear that it will apply to “processing personal data of data subjects in the EU by a controller or processor that is not established in the EU, where the activities relate to offering goods or services to EU citizens, and the monitoring of behaviour taking place within the EU.” Any non-EU business processing the data of EU citizens will have to henceforth employ an EU representative for their company, to ensure that regulations are being met.
The new GDPR could also see companies being fined up to 4% of their global turnover, which can be imposed in the case of serious infringement. The approach is tiered, for example a fine of 2% for not having their records in order or not notifying the authorities and data subject in the case of a breach.
The terms for consent have also been improvised and strengthened. Companies will no longer be able to use long terms and conditions including legal jargon, requests for consent will have to be easy to understand and interpret, as well as being easily accessible to the subject. The purpose for the data collection will also have to be disclosed, and must be as easy to withdraw from it as it is to give.
Rights for the subjects will also change under the GDPR. Subjects will now need to be informed of any breach in privacy that is likely to cause “risk for the rights and freedom of individuals”. This information must be given within 72 hours of first becoming aware of a breach. Data processors will be responsible for notifying their customers, the controllers, as soon as possible.
Data erasure, or the right to be forgotten gives subjects the right to have their data erased due to withdrawal of consent, or the data becoming irrelevant to the original purposes of the data process, and have the right to receive and access their personal data.
Controllers are required to only hold and process data that is absolutely necessary to the task, and limiting access to those processing the data.
Finally, another big change in GDPR is the appointment of Data protection Officers, for companies whose core activities are processing operations requiring regular monitoring of data on a large scale, or special categories of data relating to crime. Data protection Officers will now be assigned to each corporation, rather than responsible for a specific area.
The Data protection Officer must be an expert in data protection, and responsible for overseeing all tasks of data protection, and advising where necessary. They will also act as the first point of contact for authorities and individuals whose data is being processed.
These are just some of the changes outlined in the GDPR. Don’t forget to analyse where your company fits in with these regulations, and to have made any necessary changes by 25th May 2018. For further information, and for full details of exactly what these changes mean for your business, you can view the key changes on www.eugdpr.org.