GDPR And What It Means for Your Business
Beginning May 25, 2018, a new law will greatly affect how adtech companies comply with the collection and processing of personal data. The law, the General Data Protection Regulation (GDPR), is actually a European Union law, but it could have far-reaching effects beyond European borders, as U.S.-based companies will have to comply with the new regulation when doing business within the EU.
Beyond Europe, the law will also apply to any business where their data processing relates to the offering of goods and services to EU-based people or the monitoring of online behavior — including tracking used for interest-based marketing — within the EU. That is far reaching and will affect most every adtech company and their clients, the world over.
The law replaces an earlier law, the EU Data Protection Directive, which only applied to those entities which processed personal data on equipment located within the EU. Once enacted, GDPR will apply to any company that uses data to offer goods and services or uses data to track online behavior within the EU regardless of the company’s location.
The GDPR contains many of the basic stipulations of the original directive but includes changes that will have a meaningful impact on how businesses deal with personal data. Under GDPR, data processing will need to comply with six principles and satisfy at least one processing condition.
Briefly, these conditions are: Data must be processed in a transparent fashion (consent must be given), collected and used for a specific purpose and only that purpose while maintaining that data in an accurate, secure manner until such time its specific purpose of use has expired. It must then be deleted.
Conditions allowing the processing of data includes personal consent, which is necessary for the implementation of a contract, compliance with a legal obligation, protection of an individual’s vital interests or in order to perform a task by the entity holding the data.
Some of these processing conditions can be quite onerous. If we look at consent, according to GDPR Article 7, consent requires specific demonstration of consent by the data collector, collection using clear and obvious distinction from other matters, a provision for the data subject to withdraw their consent at any time, and proof the data is conditional upon or necessary for the completion of a contract or provision of a service.
Along with the above-mentioned rights given within the GDPR, people will be protected by additional rights including the right to be forgotten, the right to restrict processing, the right to object or curtail the collection of certain types of data and the right to data portability.
While an EU law, GDPR is far-reaching and will have a great impact on U.S.-based companies doing business within the EU. Specifically, U.S. businesses must first determine whether or not any part of their operation does business in the EU. As mentioned above, this includes the use of data processing, which relates to the offering of goods and services to EU-based people or the monitoring of online behavior. Then, they will need to determine if their existing operations currently comply with the details spelled out within GDPR.
In order to accomplish this, it makes sense for businesses to appoint a data protection officer who could ensure adherence to GDPR stipulations by re-examining the business’s data relationship with all existing customers, ensure mechanisms such as internal policies, external policies and vendor agreements are in place to honor withdrawal of consent, review and update any and all contracted relationships so that those relationships also adhere to GDPR, ensure existing security and privacy programs are in line and determine whether or not required state, federal and international requirements play nice with GDPR.
Clearly, GDPR makes adhering to U.S. privacy laws look like a walk in the park. GDPR is far more detailed and requires far more compliance than U.S. privacy laws. While GDPR is an all-encompassing data privacy law, current U.S. data privacy law is made up of a patchwork of laws which both overlap and sometimes contradict one another.
There’s the Federal Trade Commission Act, an old law that broadly but unspecifically prohibits unfair or deceptive business practices. There’s the Financial Services Modernization Act, which regulates how financial information is collected and used, the Health Insurance Portability and Accountability Act, which regulates the use of personal medical information, and the Fair Credit Reporting Act, which regulates how a person’s credit information is used by a lender or a credit card company. Perhaps the closest U.S. law to GDPR, though, is the Electronic Communications Privacy Act, which regulates the collection, interception and usage of data passing between a person’s internet-connected computer and their internet service provider as well as advertising entities.
While all of these laws certainly have a purpose, they are, in general, not at all as specific as GDPR, which addresses most every element of personal data usage. In a way, the stiffer approach of GDPR simplifies matters relating to data and privacy in the business world, which is now decidedly global.
GDPR, clearly, is not a U.S. law, but it’s most certainly not something companies doing business abroad — basically any online business — can afford to ignore. In fact, it just might be the kicker that helps simplify and level the playing field for both companies and consumers who do business with those companies.
Post written by Greg Shepard, Forbes.Com
Serial AdTech and Martech entrepreneur, writer and speaker. CSO/CTO of Pepperjam, an AdTech performance marketing company