The GDPR is coming. What is it, and why should you care?
What is it?
The GDPR is a new set of privacy regulations passed recently by the European Union.
The text of the GDPR itself is quite lengthy and dense with legalese. There are some great breakdowns of the GDPR:
- HYFN's GDPR Solutions
- GDPR Requirements In Plain English
- Hubspot’s GDPR Pillar Page
- Getting Ready For GDPR
- GDPR: 10 Things Adtech Businesses Need To Know
Will it affect those outside of the EU?
Yes it will. The regulations affect anyone who collects or processes personal data about EU persons.
What’s the point of the GDPR?
The spirit of this legislation is to provide more visibility for people whose data is collected (“data subjects”) as to how their data will be used by data collectors. It also lets them see what was collected, and delete their own data.
What is “personal data”?
Any data that could conceivably be used to identify a person. This means anything that directly (name, email address) or indirectly (hair color, gender) ties a unique person to a computer record. Anything you might consider a “dimension” in the data science context is personal data—that’s the point.
What do I need to do?
If you run a business that collects information; here are the four MOST IMPORTANT things you need to do:
Require that individual data subjects check a confirmation checkbox that says “I consent for you may use this information in the following ways:” The consent must be “freely given, specific, informed and unambiguous”. It can’t be hidden or pre-checked, and must be positively indicated (no sneaky unchecked boxes saying “Don’t not use my data”). You must save this consent, and be able to prove that you collected it. You need to do this whether or not they are new persons to you.
List the ways you will use the data in “clear and plain” legal language that is “clearly distinguishable from other matters.” This is roughly equivalent to a Terms and Conditions doc, but it's not; the spirit of the law is that it be easy for laypersons to understand.
You should also list all of the data processors used on personal data, and specifically what data is processed there. This is a big one—potentially any third party involved in any operation including storage is affected. In theory, you must disclose database providers, cloud storage providers, etc.
As an example, here’s a list of third-party disclosures recently posted by Paypal.
Allow data subjects to see and download the data you collected. You need to be able to answer the question “do you have any data about me” from anyone who asks. You have 30 days to comply with the request, but it should be automated, fast, and self-service.
You also must make the data portable. This clearly provides a challenge as there is no prescribed format, leading to potential chaos, but I think it makes sense to watch for what larger platforms like Facebook and Amazon do here.
Allow People To Be Forgotten
Allow users to not be targeted by you anymore. Users may ask that you delete their personal data, and you must be able to comply with their request within 30 days.
By “delete their data”, I don't mean any data associated with the user. An online store is not required to delete sales records, for example. But it must be able to anonymize any personal identifiers or remove associations to personal records.
This is probably the most onerous of all the requirements, as it potentially impacts every complex web application that deals with the notion of “users”. Keep an eye on this requirement as things are likely to change.
Does The GDPR Affect AdTech?
Yes it does, but all of the ways it will are not obvious yet. “Targeting lists” or “CRM lists” contain personal identifiers, which are most certainly within the scope of GDPR.
The GDPR defines two kinds of entities involved in use of personal data: “collectors” and “processors”.
A “data collector” captures personal data and generally controls how it's used. Some examples:
- Lead generation pages
- Ecommerce sites
- Web apps of all kinds (Facebook, etc.) that capture a “User” record
A “data processor” receives data collected by a “collector” and performs an operation on it. “Operation” is purposefully broad; some examples:
- Managed advertising services
- Facebook Ads
- Any cloud database or storage provider
- Any SaaS service where personal data is sent
As a data processor, HYFN is theoretically under scope of the regulation, but there is language related to “direct marketing” activities that are regarded as being of “legitimate interest” to the person whose data was collected. The law is unclear here, and it will almost certainly be tested in European courtrooms.
There Are Many Unanswered Questions Still
We’re just at the beginning of understanding how the GDPR will affect us in the United States, and the example of Facebook and Cambridge Analytica shows regulation may be coming to our shores as well. Asian countries may also adopt whatever the West settles on.
HYFN is dedicated to guiding businesses through uncertainty in the digital world. Bookmark this page for ongoing updates on GDPR compliance, privacy regulation in the US, and more.
Not sure if your website is ready?