EU General Data Protection Regulation: What You Need To Know (Part 1)
by Lindsay Rowntree on 21st Mar 2016 in News
In the first of a series of pieces, ExchangeWire explores the new EU General Data Protection Regulation (GDPR). With contributions from leading industry experts, to understand the details of this new regulation, this series investigates what it means for businesses in the advertising industry. To kick things off, Nick Stringer (pictured below), chair, European Interactive Digital Advertising Alliance (EDAA), provides the background of the GDPR and data protection in the EU. Stringer specialises in regulatory affairs and public policy and was formerly director of regulatory affairs at the IAB UK.
Innovations in technology bring new ways to collect, exchange and use data across connected platforms and devices in the quest to deliver more efficient and effective marketing. This means that data-driven digital businesses (particularly third parties) will always be at the forefront of the privacy debate: amongst industry, with policy makers and regulators, with privacy advocates and civil society campaigners and, most importantly of all, with citizens. After nearly four years of debate and discussion, Brussels legislators are updating European data protection law. The new EU General Data Protection Regulation (GDPR) will introduce new obligations for advertising businesses, forcing them to get smarter about how they go about things, and placing privacy at the heart of their operations. The challenges will introduce new opportunities, but it’s clear that things will need to change.
Busting the myths
This piece marks the first in a series of articles by commentators on the new Regulation for ExchangeWire readers. Even after four years in the making, there are still some areas of ambiguity and, as a result, there is a fair amount of confusing and misleading information. As a result, this series will provide an overview of the new law, its key obligations, and what it means for digital marketing. It will explore the latest developments, as we move towards the new Regulation's enforcement; and it will provide some steps on what you can do now to prepare. The series will culminate with a Q&A session with the Information Commissioner’s Office (ICO), the regulator that will enforce the new rules in the UK.
Some background
The new Regulation seeks to build on the existing legal framework (the UK 1998 Data Protection Act, which remains in force for now) that governs the processing of personal data. Its goals are to ensure people’s information is protected when it is used and that organisations have clear rules and a legal base when collecting and using personal data. The Regulation seeks to update this legal framework to account for the digital world that we live in today, where vast swathes of data are collected, exchanged, and used every second. Remember: the 1995 European Data Protection Directive (which became the 1998 UK act) was written in the dial-up internet era.
The ICO reiterates that, because the new Regulation builds on existing law, it won’t be ‘Data Protection Year 0’ for some businesses. However, for many advertising businesses, this will be new; particularly as the scope of the new Regulation is expected to include their data processing activities, whether or not it directly identifies an individual. This will introduce new obligations in addition to the revised ePrivacy Directive (aka ‘the cookie law’) which remains in force for now. The European Commission is revisiting this, as it will need to align with the new Regulation.
But, unlike the revised ePrivacy Directive, the new Regulation will apply consistently across EU markets, although there are areas that may be different across markets. The new Regulation is also, in effect, global – if an organisation is processing personal data about a citizen who is in the European Union, then the new Regulation will apply regardless of where the business is located.
Devil is in the detail...
The new Regulation hasn’t actually been formally adopted. This is expected soon, although it won’t come into force until two years and 20 days after this. So, we’re looking at mid-2018. But it’s not too early to start thinking about the changes needed, and this series of articles will explore the devil in the detail and hopefully help organisations on this journey.
Follow ExchangeWire