img Blog

May 30, 2018

Explaining Europe’s GDPR (General Data Protection Regulation)


On 25 May 2018, ad tech will be need to be prepared for a different set of guidelines when it comes to the handling of data for EU citizens.

The European GDPR (General Data Protection Regulation), agreed in April of last year after four years of planning, to aim to bring new accountability obligations to both ‘handlers’ and ‘controllers’ of data. In the EU’s own words, it will “reshape” the way organizations across the world approach data and privacy via a set of up-to-date guidelines for entire industries to follow.

Some of the biggest conversations regarding GDPR and its implications have centered on ad tech: a space populated by an ever-growing list of companies, most of whom rely on data to go about their work. The new rules for areas like consent and definitions of data are as huge as the penalties for failing to abide by them. Alarmingly, 96% of companies across the UK, France and Germany claimed not to understand the new regulations when quizzed by Symantec in October 2016, while 91% of IT decision makers were skeptical about their chances of being prepared on time.

Ad tech itself is building a strong head of steam, making it all the more important that its members get things right come May of next year. Let’s take a look at what they’re up against.

Summary of changes

Heading up the list of changes are the new rules for collecting data, where there is far more emphasis on users opting in to having their data stored. Although opting out isn’t prohibited, the banning of pre-ticked boxes essentially brings an end to how a lot of groups collect information.

EU citizens will also be allowed to request access to their data. Companies are required to provide this free of charge and may even be forced to delete the subject’s information as part of laws withholding ‘the right to be forgotten’.

Other rules require data breaches to be reported within 72 hours of such an incident taking place, while any organization with “regular and systematic monitoring” of data will need a data protection officer (DPO) on their books. For a bit of further reading, the full list of changes can be found on the GDPR website.

What is applicable? 

The GDPR applies to ‘controllers and handlers’ of personal data. Any data that is ‘personally identifiable’ falls under this category, which now includes ‘online identifiers’ such as cookies, IP addresses and other information used for tracking purposes.

From a geographical perspective, the GDPR will apply to any party found to be processing or controlling the information of EU citizens.

The Union has admitted ambiguity with the old guidelines, which referred to data processed ‘in context of an establishment’. From May, the rules will apply to anyone handling data from subjects positioned in the EU, regardless of their own location.

While this carries fresh implications for companies around the world, it also means that any UK groups hopeful of playing the Brexit card will not see any kind of exemption, so long as they’re handling the data of EU citizens.

Action to take

Getting prepared for the new rules will take time. Groups like the Information Commissioner’s Office (ICO) have advised ‘information audits’ to determine the rules for data sitting within the organization, while immediately designating a DPO could be invaluable when it comes to forming strategy.

Perhaps the biggest challenge lies within the requirement for controllers and processors to help EU citizens understand why their information is on file. That means to use their data, ad tech players like networks, analytics services, targeting platforms and others will have to review their policies on consent before going back out to users to gain it again.

Those failing to play by the rules will be subject to “the highest tier of administrative fines”, which works out as 4% of a company’s annual turnover or £16.7 million (€20 million), whichever is higher. This represents a steep hike on the cap of £500,000 imposed today.

The Internet is packed with information for companies wishing to equip themselves for the GDPR. For ad tech, the time to prepare is now.