ISBA GDPR Guidance
ISBA has published a series of member-only Guidance notes on the GDPR, which have been designed to provide brands with a highly accessible overview of the key principles of the law in a marketing context.
The Guides cover four key areas of the regulation:
- GDPR: The Essentials - an overview of the key areas of the GDPR for marketers and what they mean in practice.
- GDPR: Accountability - insights on relevant issues such as privacy by design, privacy notices, vendors and contracts, and consent.
- GDPR: Profiling - an overview of the concepts of Profiling and Automated Decision-Making under the regulation.
- GDPR: Consent - a look at how consent works under the Regulation and what it means in practice.
Produced in conjunction with Bristows, the Guides will be updated as industry best practice emerges. All four Guides, plus further GDPR resources are available to download via the documents tab above.
ISBA/IPA GDPR clauses for contracts
ISBA and the IPA have worked together to create suggested GDPR clauses to be used as a variation addendum to client/agency contracts. The suggested clauses represent the minimum requirements in the creation of a Data Processing Agreement (DPA) as required by GDPR. There must be an agreement between the parties and it must contain certain contractual obligations imposed on the data processor. A DPA can be created either as a separate agreement or can be included within an existing client/agency agreement.
There are two versions, one for ‘data light’ contracts and a second for ‘data heavy’ contracts. Terms can be used to create a DPA for new appointments which come into effect after May 25th 2018; or for existing relationships in force after 24th May 2018 where a variation addendum to the contractual terms can be created. Find out more and the suggested clauses here >
The Rights of Data Subjects
With the new GDPR comes a range of new rights for data subjects. The regulation changes how subjects are to be notified about breaches, their right to access to what personal data has been processed, how it is being used and the conditions for erasure (the Right to be Forgotten).
Privacy by Design
The GDPR introduces ‘privacy by design’ as a legal requirement, meaning that data protection measures must be included ‘from the onset of the designing of systems, rather than an addition.’
What do advertisers need to know?
- Impact: While the GDPR will have a significant impact on digital advertising, it is not the only marketing function that the Regulation will affect. All marketing that uses consumer data now comes under its scope.
- Scope: All data will now fall within the scope of the new law and will be called ‘personal data’. For digital advertising, all data processed is expected to fall within the Regulation.
- Processing Personal Data: The Regulation allows for several ways to process/collect personal data – one option is with “unambiguous” consent of the user, or when it is in the “legitimate interests” of the organisation processing the personal data - preventing fraud and direct marketing are considered legitimate interests.
- Profiling: People will have the right not to be subjected to profiling or the “automatic processing of personal data’” where it may cause “legal effects” or similar effects (ie refusal of a credit application).
- Fines: Regulators will be able to fine organisations up to 4% of annual global turnover in the event of a breach.
What about Brexit?
Despite the many uncertainties surrounding Brexit, one thing is for sure, the GDPR will still be implemented in the UK in May 2018 and all organisations should continue their preparations to comply with the regulation.
No videos to show