The deadline for complying with the EU’s GDPR (General Data Protection Regulation) is rapidly approaching as the law comes into effect on May 25, 2018. The GDPR harmonizes data privacy laws across the European Union, and lays down mandates for how companies collect, store, delete, alter and otherwise process the personal data of EU citizens. After the enforcement date, organizations in non-compliance will face heavy fines.
The GDPR replaces the previously existing Data Protection Directive 95/46/EC and is intended to protect the data privacy of all EU citizens and to reshape how organizations approach data privacy to ensure that protection.
The biggest change relates to the extended jurisdiction of the GDPR as it applies to all companies, regardless of the company’s location, who are processing the personal data of data subjects in the EU. According to the official website, “The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.” Significantly, for non-EU businesses that are processing EU citizens data, they “will also have to appoint a representative in the EU.”
The penalties for those in breach of the new regulations are significant: a tiered approach to fines, with the maximum being up to 4% of annual global turnover or €20 Million (whichever is greater). This is the fine for the most serious infringement, for example, violating the core of Privacy by Design concepts, or not having sufficient customer consent to process data. The rules apply to “both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement”.
The regulations focus on the rights of the data subject and include Breach Notification, Right to Access, Right to be Forgotten, Data Portability and Privacy by Design. Crucially, in terms of consent, “it must be as easy to withdraw consent as it is to give it”.
According to Digiday, many in digital media are treating the new regulations as “a giant game of hot potato, as clients want agencies to assume risks, while agencies insist publishers assume them, and publishers then do the same to tech vendors”. Under the GDPR, the businesses most liable for fines are “data controllers” as they are the originating source of the consumer data.
This means that publishes are first in the line of fire, as are advertisers that operate websites, which use first-party customer data. Ad tech vendors can be a mix of the two, but in both instances, they’ll need to ask for customer consent for user publishers’ and advertisers’ data.
Contracts are being rapidly updated on both sides of the Atlantic as publishers renegotiate contracts with ad tech vendors, guaranteeing the publisher will get compensation if the vendor has caused the problem and they are fined, while also seeking assurances that the vendor prove it is GDPR-ready. In turn, the biggest ad vendors are pushing their own GDPR-specific contracts to sub-contractors. Experts in the industry predict that smaller ad tech vendors won’t necessarily have the funds to be able to pay publishers if they are found in breach, and this will likely to consolidation in the ad tech market. Meanwhile, agencies are trying to push the liability back to the data source: the publisher.
Who will be able to best dictate contractual terms to who? It’s likely that size will most determine GDPR readiness; yet in the long-run, the two sides will need to find a middle ground over liability and each accept some share of responsibility in the rapidly approaching era of GDPR.