When the EU’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, the impact on digital media and publishers will be significant. GDPR intends to strengthen and unify data protection for individuals and to give them more control over the way their data is collected and used.
Who does GDPR apply to?
GDPR applies to any company that processes personal data of data subjects in EU member states, even if the data subject is not an EU citizen. It also applies to the processing Europeans’ data, even if the company that processes personal data is outside of Europe.
The 7 top things publishers should do to prepare for GDPR:
1. Appoint a Data Protection Officer (DPO). While a DPO is required for certain organizations, such as public authorities, those that systematically monitor individuals on a large scale and those that process special categories of data such as health or criminal records, appointing a DPO is a good idea for any organization that GDPR applies to. This individual can help spearhead the effort, get the company organized, and take responsibility for compliance. If your organization doesn’t need a DPO, it is still worth designating an internal owner to drive the other best practices we note below.
2. Build awareness within your organization. Once you identify a DPO, they may want to consider building out a cross-functional task force that will help them build awareness throughout the company. You can read about SpotX’s here. Given the broad-reaching impacts of GDPR and that it covers everything from customer to employee data, it’s key that people throughout your organization, particularly those who handle personal data, are trained on the regulation and can push each of their respective departments toward compliance. The more people you have actively thinking about GDPR, the more likely you are to cover all of your bases and be in compliance come May.
3. Understand data subject rights. Data subjects are granted substantial rights under GDPR. To ensure your policy and procedures adhere, start by understanding their rights. As it relates to personal data, among others, GDPR gives data subjects the right to:
- be informed of the data you collect on them and how you use it
- access the data
- rectify in case of incorrect data
- erase the data
- restrict processing
- object to the collection and processing
- port data to another platform
- not be subject to automated decision-making including profiling
4. Conduct privacy impact assessments. GDPR mandates that data controllers perform privacy impact assessments (PIA) in instances where data processing is likely to result in a high level of risk to the data subject’s rights. If you think you might fall into this category, be prudent and start prepping for it early. PIAs can be PIAs; we get it.
5. Conduct a data audit. Now that you have your organization trained up and you understand the specifics of the regulation, you’ll need to investigate and document all the personal data you hold, including where it came from, how you process it, how you store it, how long you store it, who you share it with, and how you transmit the data. GDPR requires you to maintain complete records of your processing activities and to be able to show how you comply with the data protection principles, so document as you audit.
6. Conduct a gap analysis and create your compliance roadmap. With complete understanding and documentation of your current policies and procedures for interacting with personal data, you’ll need to identify what changes you’ll need to make to comply with the regulation. Even if you’ve already solicited consent from your customers, you will likely need to get customers to re-consent to comply with GDPR. Some of the key areas you will may need to address include:
- Determining how you will comply with access requests. Data subjects have a right to request access to the personal data you are processing on them. You will need to set up systems to provide that data to them within one month. If you believe your organization may need to handle large volumes of these requests, think about putting automated systems in place that allows data subjects to easily access this information online.
- Identifying which lawful basis you will use to process personal data. You’ll need to determine which of the six lawful bases qualify you to process personal data. Some individuals’ rights will be modified depending on your lawful basis for processing their data, so it is best to do this early so that you have time to reach full compliance.
- Updating privacy policies and communicating privacy information. Review your current privacy notices and identify changes that you will need to make. For example, under GDPR you’ll need to detail your lawful basis for processing the data and to provide detailed information on how you handle users’ data in concise, easy to understand language. Most of us currently have privacy disclosures written in legalese that will likely need to be simplified to comply.
- Considering how you will handle children. GDPR will bring in special protection for children’s personal data. If you suspect that traffic on your site originates from children (defined as those aged 15 or younger) in the EU, you may need their parent or guardian’s consent to process their personal data lawfully.
- Providing data portability. Controllers need to provide data subjects with the ability to port or move their personal data to other controllers. Yep, you are reading that correctly. If the data subject wants to stop consuming the content/service you offer on your site or app and move to a competitor, you have to provide them with the means to do so. You can either provide an exportable format that other controllers could ingest, or set up an automated means of transferring data between controllers that doesn’t require the data subject to act as an intermediary.
- Implementing a method of handling data breaches. You will need to have procedures in place to detect, report and investigate a personal data breach if one were to occur. You’ll also be required to disclose such incidents to the supervisory authority within 72 hours of becoming aware of the breach. In the most severe cases, you’ll also need to notify the data subjects individually with information on the incident, which personal data items were affected, and how you plan to address the breach.
7. Identify a lead authority. Now that you have a solid roadmap in place for compliance and are feverishly working towards the May deadline, you may want to identify a lead authority that you will interact with. While this is not required, it may streamline and simplify your interactions with the authorities. If your organization only operates in a single EU member state, you will use that authority. If, however, your organization operates in more than one, it may be helpful to determine who your lead data protection supervisory authority will be. You should determine this based on where your main establishment is in the EU. The lead authority is the supervisory authority in the state where your primary establishment is in the EU.
Want to learn more about GDPR? Check out the rest of our series:
- SpotX’s GDPR Task Force
- What is GDPR? What You need to Know about Ad Tech and the General Data Protection Regulation
- GDPR: Top 7 Things Publishers Should Do to Protect Themselves
- How US Based companies should be thinking about GDPR
- Why US companies should care about PII, non-PII, and Personal Data
- What is ‘Privacy by Design and Default’ and how can it help me make tough choices in a post-GDPR world?
- How GDPR will tighten Google and Facebook’s grip on global advertising dollars – Isn’t it ironic?
- Vlog: Senior Product Manager, Jessica Berman Speaks on GDPR
Leah Brite, Director, Product Marketing