One of the most pressing topics at this year’s Adexchanger Programmatic I/O was Europe’s General Data Protection Regulation law (GDPR). On May 25th, 2018, GDPR—the biggest change to data privacy in over twenty years—will be widely enforced.
GDPR was created to regulate the collection, processing, use and storage of every EU citizen’s personal data. It will require organizations to obtain consumer consent in the use of their data, give consumers the ability to “be forgotten”, enact 72-hour breach notifications, and more. In doing so, it’s meant to bring transparency and trust to the digital market by putting control of an individual’s personal data back in the hands of the individual.
While GDPR is a European regulation, it will not limit itself to Europe. Where ever your organization may be located, GDPR will most likely effect how you collect data. The following are a few basic questions to consider before the May 25th enforcement.
Is your company affected?
The answer to this comes down to whether your company collects personal data from EU citizens. According to article 3 of GDPR, an organization—regardless of location—collecting the personal data of an individual in the EU must comply with GDPR.
What is “personal data”?
GDPR defines personal data as information relating to an individual who can then be directly or indirectly identified through said information, whether that be by a name, ID number, location data, online identification, or by physical, physiological, genetic, mental, economic, cultural, or social identity.
A few examples of personal data include:
- Identity info. (name, address, ID, etc.)
- IP address, geolocation, cookie data
- Health data
- Political data
What’s next? How do you continue to responsibly collect data?
GDPR aims to bring transparency and trust back into the digital market. Therefore, as of May 25th 2018, in order to collect data an organization will have to gain the consent of each individual user it is collecting data from.
While it remains unclear if consent must be ‘opt-in’ or can be implied through a notice and continued use, there are a few parameters that are a bit more clear-cut. These include:
- Being able to show how consent was gained
- Clearly informing the user of the purpose for the collection
- Providing the ability to “be forgotten” at anytime
On May 25th, 2018, GDPR—the most important change in data privacy regulations in over twenty years—will be widely enforced. If an organization fails to comply, the EU is cautioning fines of up to €20 million or 4% of an organization’s annual global turnover. Whether you are a company directly located in the EU or anywhere else in the world, you may be affected by this change.