The EU has approved new data protection rules today that could see companies who breach them being fined up to €20 million or four percent of global revenue. While the new regulations – known as the General Data Protection Regulation (GDPR) – apply to all businesses, they will have a significant impact on the European publishing and advertising industry. However, companies affected will have two years to comply with the new regulations. Speaking at an AOP event in London today, Nick Stringer, a digital media consultant and chair of the European Interactive Digital Advertising Alliance (EDAA), said that the new rules are ‘one of the most significant developments of the Internet age’.
Simon Morrissey, who heads up Lewis Silkin’s data protection practice, said that the new rules would have a much greater impact on non-EU technology companies who are doing business in Europe.
The new rules include provisions on:
a right to be forgotten,
“clear and affirmative consent” to the processing of private data by the person concerned
a right for citizens to transfer their data from one service provider to another
the right to know when your data has been hacked
ensuring that privacy policies are explained in clear and understandable language
stronger enforcement and fines up to four percent of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.
Stringer said the regulations presented both challenges and opportunities for data-driven digital businesses, particularly for publishers, but said that the GDPR should be viewed as an ‘opportunity to build good privacy practice into publishing businesses’.
In the UK, the Information Commissioner’s Office (ICO) have issued the following guidelines (quoted verbatim) for companies wishing to comply with the GDPR, noting that many of the current practices companies are using will help them comply with the new legislation:
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data
Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.