This week’s guest blog post is a conversation on the global impact of GDPR between Kate Taylor, Marketing Programs Specialist, Oracle Data Cloud and Gabriel Voisin, a data protection & privacy partner with London-based law firm, Bird & Bird.
Gabriel Voisin: The GDPR—General Data Protection Regulation—is the new piece of legislation that will go into effect on May 25, 2018.
It is a new regulation with comprehensive privacy requirements intended to strengthen and unify data protection for people in the European Union (EU).
To back up, the current data protection legislation is the Data Protection Directive (DPD) from 1995.
Each EU country has a different interpretation of the directive via national data protection legislation, which means the topic is currently quite fragmented.
As a result, when conducting multi-country advertising campaigns, marketers need to individually check and abide by each EU data protection act within every country where they are established or wish to do business.
That’s why the European Commission wanted to streamline the current state of affairs.
The result is the GDPR, a single data protection regulation replacing the current national data protection legislation in each EU country.
This is tasking marketing teams to implement changes in the way they manage processes, people and technical controls to comply with the new legislation.
Gabriel: The GDPR will affect organizations differently, based on their data classification.
The main determinate of the impact on your business lies with the GDPR’s distinction between data controllers and data processors.
Data controllers are the decision makers, the ones who control how the data is used. They are in the driving seat and, as a result, are subject to all GDPR specifications.
Data processors, on the other hand, simply follow the instructions given by data controllers. Of course, they have to comply with GDPR, but to a lesser extent—roughly 40 percent of the GDPR directly applies to them.
How to apply that to the digital advertising industry:
Publishers: Data controllers
DMPS/DSPS: Tend to be data processors
Advertisers: Data controllers
Exchange platforms & Agencies: Inconsistent. There’s room for maneuvering on this point. It comes down to whether or not you have decision-making power, and if they can drive the conversation about the use and treatment of data.
Data brokers: Data controllers
Gabriel: Here are my top three.
Myth #1: A NDA will cover you
Let me debunk this one immediately: A NDA is not enough. When you process personal data, you need more than a NDA. You need an agreement in place containing data protection provisions, explaining the dos and don’ts and responsibilities of each party in this activity.
Myth #2: “Online identifiers” are not personal data
Unfortunately, it’s incorrect to think that “online identifiers” are not “personal data.” From the EU perspective, they are personal data and used to single out users. The fact that we may not have the identity of the person behind the online identifiers is irrelevant.
Myth #3: Businesses outside the EU are unaffected by the GDPR
The message here is simple. As soon as you provide goods and services to EU-based individuals, or monitor EU-based individuals, you are subject to the GDPR. There is an extraterritorial effect, regardless of where the company is based.
Gabriel: While the GDPR is today’s hot topic in the industry, digital marketers also need to think about the ePrivacy regulation coming soon.
Similar to how we’re transitioning from the DPD to the GDPR, the ePrivacy regulation signals a move to standardize previously fractured ePrivacy directive rules.
GDPR and ePrivacy work together, and while the true legislative requirements and impact of the revised ePrivacy rules are still being discussed, it’s important to digital advertisers for two reasons.
About Gabriel Voisin
Gabriel advises on a range of international data compliance projects, including the implementation of General Data Protection Regulation (GDPR) strategies, international data transfers and local data compliance.
Additionally, Gabriel has extensive experience in advising clients on guarding against and mitigating potential cyber intrusions and computer-breach events for a broad range of major multinationals. For further information about Gabriel, visit Bird & Bird.