Following years of planning, it has finally come to this: just over 200 days to prepare and ensure your organisation is ready for the General Data Protection Regulation (GDPR).
Coming into effect on 25 May 2018, the new regulation will force all organisations to make significant changes to how they collect, process and store consumer data. Given the industry’s reliance on data, and the overwhelming fines for breaches, compliance is the only option for any company offering goods or services to EU consumers.
Despite this, the GDPR shouldn’t be regarded as another onerous chore. Rather than aiming for the minimum level of compliance, aim for the gold standard and use the process as an opportunity to get closer to your consumers.
So, with just six months left to go, what can and should advertisers be doing to ensure they don’t fall foul of the new rules.
Last week, over 90 members packed into ISBA HQ to hear how global organisations such as Google, GroupM, AppNexus and PwC are working towards compliance, both internally and with their clients. We also heard from James Snook, Deputy Director, Data Protection Policy at DCMS, plus while Harpreet Thandi of Ferrero and Jonny Maitipe of Nationwide provided insights from an advertisers perspective.
Insights and Actions from the Event:
Make use of available tools:
There are a number of tools available online to help organisations prepare and ensure their data is adequately protected.
- Google Privacy Tools: Amanda Storey, Head of Retail, Travel and Data at Google, highlighted the suite of privacy tools available from the tech giant, including controls to allow companies to choose what data they share and how it is protected. These controls are available for both business and consumers.
- Guidance: While there have been calls for further guidance, there are a number of excellent guides already available for ISBA members to access, including:
- 5 Things every brand owner should know about the GDPR, WFA – available on request.
- The Data Protection Network’s GDPR guidance, which ISBA and the DMA contributed to – available on request.
Ensure your contracts are GDPR ready:
ISBA will be re-launching our Creative Services Contract later this year. The updated versions will be amended to include new clauses related to the GDPR and will ensure all relevant services are fully compliant. For more information on this or any aspect of your contracts, please contact Debbie Morrison (debbiem@isba.org.uk).
Google has also planned to roll out new contracts relating to GDPR, making their terms consistent across products.
Questions to ask your vendor:
The role of technology cannot be underestimated and the tools you select will play a crucial role in determining whether you remain compliant or risk breaching the rules. With that in mind, six key questions were outlined at the event at all brands should be asking of their technology vendors:
- What personal data do you process? How? Why? How do you minimise use of it?
- Are you a Processor or a Controller? (See the Consultation on GDPR Guidance on contracts and liabilities between controllers and processors, which ISBA responded to.)
- Where you are classified as a controller, on what legal basis are you processing data?
- But what if consent is required? How are you prepared to handle consent?
- How are you managing data subject rights?
- How do you handle security and international transfers?
Stay on top of Profiling Issues:
On the issue of profiling, members can keep track of developments by tracking the opinions of the EU Article 29 Data Protection Working Party.
Review the Data Protection Bill:
During his keynote, James Snook, Deputy Director, Data Protection Policy, DCMS, discussed the Data Protection Bill, which confirms a new legal framework for GDPR to ensure that we are aligned with the Regulation in the UK. Further information about the DPB can be found here, however, if you have any specific questions regarding the bill that you would like to raise directly with Mr Snook and the DCMS, please contact me (davide@isba.org.uk).
Next Steps
ISBA will be following up with a further GDPR event (February 2018, details TBC), by which time Google will have provided more GDPR tools and Google will have rolled out new contracts relating to GDPR. The ICO should, by then, have published GDPR Guidance on Accountability and Consent.