The Countdown Is On: GDPR FAQs Answered
So folks, it’s now less than two weeks to go until the GDPR comes into effect but a cloud of confusion still surrounds this major overhaul of data legislation, particularly for those of you based outside the EU. At this point, we’ll spare you the by now, repetitious details of what the GDPR is and why it matters and instead answer your FAQs and explain some of the more confusing concepts of the regulation – in plain English. Answers provided in part by Rachel Waite, GDPR Awareness Coalition Ambassador.
What is a data processor under GDPR and how does it differ from the data controller?
Chapter 4 defines data controllers and data processors as below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
In the AdTech space, this can be confusing as almost all players in the industry including advertisers, publishers, DSPs, DMPs, and SSPs can be considered as data controllers or processors depending on the circumstances but the distinction is important for compliance. The GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc.
As an agency or vendor in the industry, the first thing to do is to evaluate which role you play in the data processing. Do you determine the purpose and means of data processing or are you strictly acting on behalf of a client? Whatever role you take, be sure to document each party’s obligations and responsibilities in a Data Processing Agreement
What is “legitimate interest”?
Perhaps the most hotly debated clause under the new regulation is Article 6 which says that data collection and profiling without consent are allowed if the controller has a ‘legitimate interest’ in doing so. By now Twitter is already abuzz with examples of companies using the ‘legitimate interest’ clause to avoid obtaining consent from users. One such example was a business that explained how they were a ‘legitimate business’ and therefore everything they did was for a ‘legitimate business purpose’ – we’re not making this stuff up!
However, WP29 has actually been quite clear in their guidelines concluding that advertising and data profiling do not fall under this clause. We can, therefore, ascertain that AdTech providers cannot rely on the legitimate interest clause to continue with behavioral targeting activities. The lack of clarity and clear guidelines on how to obtain consent from users given the complexity of the media supply chain means many firms are still in the dark without any plans in place to obtain consent or delete data when requested. Some vendors are hoping and relying on the legitimate interest clause and taking a ‘wait and see approach’, observing how rules will be enforced before making major changes to their privacy policies but this approach could prove costly with maximum penalty fines for failure to comply of €20 million or 4% of the company’s global annual turnover – whichever is higher.
How “freely given” must consent be?
Of all the challenges AdTech vendors must solve to be compliant with GDPR, obtaining user consent is perhaps the most difficult. Under the new regulation, consent needs to be clearly spelled out and individuals should have a genuine and free choice as to whether or not to provide consent – and they should be able to refuse or withdraw at any time. The nature of how and why their personal information is being used must easily be explained and must cover all instances of usage. There should be no doubt to the individual on providing their consent – all these measures enforce companies to be more transparent with how they use customer data, and give the user more control of how their information is being used.
In late 2017, WP29 warned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”. Opt-in requests for multiple purposes should “allow users to give specific consent for specific purposes.” Users should know what to expect and how their data will be handled in the event that they opt-in or out. This handy illustration from PageFair shows a sample opt-in form.
We’re a German AdTech startup with 10 people working here, do we need to appoint a Data Protection Officer?
Yes. Under previous data protection law in Germany, a company with at least 10 people engaged in regular data processing activities was not required to appoint a Data Protection Officer. Though the law governing this area was slightly ambiguous before, under the GDPR this has become a mandatory step for all companies handling data – even small startups with just 10 people.
My company is based in the U.S. Does the GDPR still apply to me?
Yes. The GDPR applies in any case where the data controller, the data processor, or the data subject (the person whose data is being collected) is based in the EU (or is an EU citizen). This means most companies in the US will have to comply with the regulation as the law applies to all EU citizens, even if they are living abroad! According to estimates compiled by IAPP & EY, American companies have already sunk a combined $7.8 billion preparing for the GDPR to avoid the massive fines and penalties.
What should I do in the event of a data breach?
Despite an increase in security budgets in recent years, security breaches are becoming more and more common.
Article 4(12) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, personal data transmitted, stored or otherwise processed.”
Article 33 of the regulation explains clearly the requirements for the data controller in case of a data breach:
- In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Under the new data protection law, mandatory reporting of a personal data breach that results in a risk to people’s rights and freedoms under the GDPR will be a new requirement for many. A recent example of such a case was Twitter’s recent data breach which saw the company telling on themselves, sending users a full-screen alert when they logged into the app informing them of what happened and recommending users change their passwords. After the issue was resolved, the security team were able to determine that it was unlikely that passwords were leaked or misused and the company could have considered the case closed, but erring on the side of caution in preparation for the GDPR is an approach we can expect to see many companies take in the case of data breaches – to avoid those hefty fines.