With the rise of the European Union digital economy, European lawmakers proposed an update to the existing data protection and privacy rules – GDPR in 2016. And almost two years later, GDPR was enforced across Europe.
Table of Contents
What is GDPR?
Approved on 14th April 2016 by the European Parliament, GDPR is the law that unifies and updates the privacy laws throughout the EU. GDPR is brought in to swap the EU data protection law of 1995.
This new ordinance gives attention to the transparency and privacy rights of the data business. In case of a severe data violation, the company is required by the General Data protection compliance to notify the concerned authority and influence people within 72 hours.
The directives of the General Data Protection Regulations (GDPR) apply to all the data generated by the citizens of the European Union. The GDPR is anticipated to set a new benchmark towards consumer rights concerning data. But with this, the companies will face a challenge as their management & operations process and systems will need to comply with the General Data Protection Regulations. GDPR calls for a more comprehensive view of the personal identification information of any individual.
As GDPR has come into effect, there are a lot of elements that businesses need to understand to be GDPR compliant. Though many constituents do not directly relate to personal information security, the changes must modify the existing systems and processes to comply with GDPR so that the system does not affect the data. GDPR also standardizes the export of personal information data outside the European Union.
Also read: IAB’s Consent Management Platform is launched to help Publishers!
Companies that Could Get Affected by GDPR
Any company that executes or stores personal information of the EU citizens within the European Union states ought to abide by the General Data Protection Regulations. Even if the company or the business is out of the EU states but holds the data of EU citizens must follow the GDPR. The precise standards are:
- Must have a presence in the European Union.
- Any business with no presence in EU states but processes the personal information data of the European Union inhabitant.
- Any business with a minimum of 250 employees.
- Any business with less than 250 strength but has data processing operations that affect the rights of citizens and freedom & protection of data. These businesses deal with sensitive personal information data.
The General Data Protection Regulations also implies that the companies cannot legally process individual data unless one of these conditions are met:
– Seek approval of the data subject.
– To enter into a contract, data must be processed with the data subject. Processing is the key.
– To get compliance and legal commitment, Processing is essential.
– To protect data subject and personal information identification. Processing is essential.
– Companies need to appoint a data processing officer to protect the data subject and information.
The Data Processing Officer ensures that the company is GDPR compliant. If any company does not comply with the GDPR, it is impacted with a fine of either 20 million euros or 4% of the annual earnings.
Under the General Data Protection Regulations, the Data subject rights need to be carefully understood. These rights include:
Access Rights: It is permissible for data subjects to review the data that any business or company has stored.
Right to be elapsed or forgotten: Data subjects can ask to erase their information data from the company’s database. The company reserves the right to decline the request if it provides a legal reason for the rejection.
Right to reject: Data subjects reserve the right to object to the use of their data. The company can still use the data based on legal reasons and notify the data subject about data processing.
Right to resolve: The data subjects can correct any personal information stored about them.
Right of portability: Data subjects can access and transfer their data stored with a company.
Definition of Personal Data as Per GDPR
As per new rules complying with GDPR, the personal data includes IP address, location data, online identifiers, unique metadata. This new definition requires a strict audit before GDPR implementation to check whether all the personal data elements qualify for GDPR.
GDPR also ensures security and encryption of personal data and saves the encryption key separately to minimize the risks of dealing with personal data. For data to be outside GDPR, it has to be anonymous. The companies that depend on third-party contractors for the data processing work have to go through a lot of risk evaluation.
The Checklist for GDPR Compliance
If you’re a European publisher or have an audience from the EU regions, chances are you’re already compliant with the General Data Protection Regulation (GDPR). But that doesn’t mean you can stop looking at your processes and ensuring adequate. Whether or not you have already taken the steps outlined below, this checklist could be handy to determine how well-prepared your organization is for GDPR:
- Ensure you’ve asked for consent before processing users’ personal information.
- Ensure you’ve explained your data privacy policies to your users.
- Make the withdrawal process of consent as easy as it was when you collected it. Also, you should be able to delete users’ personal data when they request.
- Keep your visitors informed when you update the privacy policies. Have a system in place to regularly review data protection policies.
- In the case of minors, make sure you collect consent from their guardian.
- Have a proper system that allows the users to update their information and keep it accurate.
- You should be able to share data with third parties when legally requested.
Online Privacy laws are one of the raising concerns for the publishers. If you’re curious to know more about how you can deal with different upcoming and existing Privacy Laws, we have made a guide for you!
What’s Next?
The general data protection regulation intends to harmonize the data protection rules across all the European Union states and minimize the regulatory load on the digital ecosystem. Regardless of the countermeasures, adtech will be agonized by the law because advertising technologies rely on users’ data (Sometimes, PII) to deliver effective ad campaigns.
The problem is publishers are held responsible for other adtech vendors they’ve deployed on their site. Publishers have to get consent ‘unambiguously’ for all the ad tech vendors, which is less likely to succeed. Even Google declared that 60 to 70 percent of the users refuse to consent.