What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation that will replace the 1995 European DPD (Data Protection Directive). The goal is to strengthen the level of protection involving personal data of all EU citizens and to hold organizations (that collect and process data) more accountable for their actions.

What is the territorial scope of GDPR?

ART. 3 of GDPR: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” In other words, the GDPR is applicable to all the companies operating within the EU borders as well as for those, operating outside, the EU that offer services to individuals located in one of the EU member countries.

When will it go into effect?

The Regulation will go into effect on May 25th, 2018.

Who does the GDPR affect?

GDPR applies to all the companies that handle, transmit or store data of consumers residing within the EU borders.

What do personal and sensitive personal mean under GDPR?

Personal data refers to any piece of information through which a person can be, directly or indirectly, identified - such as name, identification number, location data. Sensitive personal data includes special categories of personal details relating to race, politics, culture, religion, genetics, biometrics or sexual orientation.

How can you determine if you are a controller or a processor?

A controller is defined as any company or organization that collects people’s personal data and determines how to process these data. A processor is any company or organization that processes the data on the behalf of the controller but does not decide what to do with the handled data.

How do you comply with the Regulation?

In order to comply with the Regulation, companies must review and update their privacy and data security policy to guarantee compliance within May 25th, 2018.

Which are the main implications for publishers?

Publishers have to understand if they are acting as controller or processor to identify their obligations. Secondly, they have to keep in mind the Cookie law, know as ePrivacy Directive, which handles privacy related to digital communication. It will not be revised and codified by the time GDPR will enter into force, meaning comply with both of them could be challenging. Publishers will have to keep an eye on their contracts and finalize them before the end of May. GDPR assigns different responsibilities to all the members of a supply chain. Dealing with non-compliant partners could negatively affect publishers’ relationships with their audience. Lastly, publishers will need to be crystal clear about the reasons behind data collection and processing: consumers will have to be informed before giving consent.

How does consent work? Can people withdraw their consent?

ART 6 of GDPR establishes that the data subjects (people living in EU countries) have to give consent to the processing of his or her personal data for one or more specific purposes. Consent will have to be explicitly given rather than assumed (this leaves no room for ambiguity), it has to be proven and the consumer can withdraw consent at their discretion.

Which are the main individual rights?

GDPR establishes seven main individual rights: the right to be informed, the right of access, the right to rectification, the right to erasure or to be forgotten, the right to restrict processing, the right to data portability, the right to object.

Which are the obligations of a company according to the GDPR?

Companies have to meet specific requirements established by GDPR as: - Collecting only information they need for specific purposes. - Obtaining explicit and given consent before processing data. - Ensuring data protection and avoiding a breach of personal data. - Allowing people to get access to information on request. - Removing personal data upon request, according to ART. 17 (right to erasure or to be forgotten).

How much is the fine for not complying with the Regulation?

Fines are determined by the nature and severity of the breach. - Failure in adhering to core principles of data processing, breach of personal data and rights, inappropriate transfer of personal data to other countries or organizations that do not ensure an adequate level of protections (ART. 44). → Maximum fine of €20M or $22M or 4% of global annual turnover from the previous year. - Failure in complying with technical and organizational requirements as impact assessments, breach communications and certifications (ART. 25,032, 33, 35). → Maximum fine of €10M or $11M or 2% of global annual turnover from the previous year.

What about data subject under the age of 16?

Parental consent is required in order to process personal data relating to people under the age of 16 (ART. 8). When the child is below the age of 16 years, processing will be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

How can you understand whether or not you need a DPO?

DPO - an expert on data privacy who works as a representative for the controller and the processor to oversee GDPR compliance. In addition, DPO has an essential role in acting as an intermediary between stakeholders as data subjects, supervisory authorities, organizations). You need a DPO if: 1. You are a public authority and body, including government departments. 2. The core activities of your organization consist of data processing operations that require constant and systematic monitoring of people on a large scale. 3. The core activities of your organization consist of special categories of data or personal data relating to criminal records.

What are the lawful basis for processing?

According to GDPR, you must have a valid lawful basis in order to process personal data. This means you shall have a valid reason to continue collecting/processing of EU residents data as well as your processors. Lawful bases include explicit and given consent, contracts, legal obligations, legitimate interests, vital interests and public tasks.

What does prevent and report data breach mean?

Prevent and report personal data breach means you shall avoid: access by an unauthorized third party, deliberate or accidental action by controllers or processors, alteration of personal data without permission and loss of availability of personal data. Here are some suggestions to protect yourself, as a publisher, against data leakage: - Never allow SSPs to add partners without your consent. - Connect with your vendors and partners to inform them about your privacy policy. - Control and update your partners’ contracts to meet GDPR requirements. - Include all your vendors in your consent notice.