The new EU General Data Protection Regulation may not be particularly fast-approaching, but it will arrive with full force and the digital industry's full understanding of its implications is imperative. Concluding a series of pieces on ExchangeWire looking at the new EU General Data Protection Regulation (GDPR), digital media consultant and ex-director of Regulatory Affairs, Nick Stringer, catches up with Iain Bourne (both pictured below) from UK Information Commissioner’s Office (ICO) on the new law, what it means, and the preparation steps towards it coming into force.

Nick Stringer: What is the ICO view of the new EU GDPR?

Iain Bourne: The new law is now finalised and the priority for organisations will be to comply with it. The ICO’s priority – as a future Supervisory Authority [the new name for EU Data Protection Authorities] – will be to work with other Supervisory Authorities across EU markets to make sure the new law works as well as possible.

The Supervisory Authorities’ role is really important here as there were aspects of the text that were never satisfactorily finalised. For example: the attempt to introduce a ‘risk’ approach and to minimise the regulatory burden for low-risk SME-type organisations. I think that, because at the end of the legislative process everyone was so fatigued and also under a lot of pressure to get the GDPR agreed, there was a consensus that the text wasn’t perfect, but that the EU Supervisory Authorities would be able to make it work. The ICO is working hard on that right now, and also within the Article 29 Working Party [the collective group of EU Data Protection Authorities].

The GDPR deals with some things better than the current EU Data Protection Directive. It’s generally better on dealing with information that has been shared across a network – for example, getting an inaccuracy corrected across the piece (That was ICO best practice advice from several years back). The liability of data processors is also better too, although it’s not clear whether we really need a data controller / data processor distinction anymore. Maybe, most importantly, is the issue of scope: the GDPR specifically links online identifiers with personal identification. Hopefully that will finally put to bed the old argument that when you use a cookie to identify a device you are really identifying just the device, not its user. Let’s move on from that way of looking at things.

Do you think the GDPR will meet its overall aim of encouraging innovation whilst protecting people’s privacy rights?

Again, a lot depends on how the EU Supervisory Authorities approach it. If the approach is too dogmatic, unrealistic, and inflexible then the GDPR could make it difficult for organisations that want to launch new products, especially pan-EU or globally targeted ones. Some believe that an overzealous approach to data protection has had a negative effect on the digital economy in some countries. However, on the positive side, I believe that people do want transparency and they do want appropriate choices at appropriate junctures in their online journeys. The GDPR provides a framework for delivering that, even if some of the detail is a little clunky. The GDPR’s stronger control and deletion rights are a necessary counterpoint to some of the ‘creepier’ products and techniques that are being developed all the time.

I think what data protection law has managed to do – through a gradual process – is to make organisations stop thinking ‘this is my information and I can do what I want with it’ and to think instead that ‘this is somebody else’s information – what would they want me to do with it’. That’s a big and positive change – and a real enabler of consumer trust and confidence. 

What are the most significant changes from existing data protection law?

There are some specific things. For example: breach notification, appointment of Data Protection Officers (DPOs), stronger penalties, greater data processor liability, data portability (enhanced subject access), and rules for processing children’s data. However, the most significant changes are the broader themes. For example: stronger individuals’ rights, more emphasis on keeping compliance ‘paperwork’, a high standard of ‘positive’ consent, statutory recognition of the ‘privacy by design’ agenda, and a, potentially quite challenging, international consistency mechanism. However, the basic concepts and principles are much the same as under the current law; so companies that are complying OK with that should find the transition to the GDPR reasonably manageable.

What do you think these changes will mean for digital advertising?

Iain Bourne, ICO

In general, digital advertisers will have a lot to do in terms of crossing the T’s and dotting the I’s. However, at least the ‘responsibility of the controller’ aspect of the GDPR is really clear, in terms of presenting a long list of compliance duties that will have to be ticked off.

The revision of the ePrivacy Directive [aka ‘cookie law’] is yet to be finalised [by the European Commission]. A new version is meant to come into force at the same time as the GDPR (May 2018). What that says will have a major effect on how cookies are set and on how digital advertising is carried out. We hope that the ePrivacy Directive will align as far as possible with the GDPR – most obviously its consent standard. The GDPR standard of consent is already very high, and a super ‘gold-plated’ version for cookies could cause some real problems. We’ll have to wait to see what happens.

The networked information parts of the GDPR that I mention above will be significant in respect of complex systems – like an ad network – where a number of organisations work together, sharing information, to deliver content. Generally, there will be more emphasis on governance and accountability, and on all the organisations involved understanding their respective responsibilities and documenting this. Stronger individuals’ rights also mean that advertisers may need to be more responsive when, for example, someone objects to their personal information being used for marketing purposes.

This new law is pan-European, and its goal is a harmonised approach for citizens and businesses. What is the role of the ICO in achieving this?

First of all, remember that the GDPR is a regulation with direct effect, from May 2018, in the UK, and all the other EU countries. This should bring about greater harmonisation, even though there are still many areas where the UK can make its own arrangements. The GDPR also contains rather complex international co-operation and consistency provisions that can be triggered where an organisation operates across the EU. In short, this means the organisation will have a ‘lead’ EU Supervisory Authority, but that other ‘concerned’ EU Supervisory Authorities will have a say on how a complaint about the organisation is dealt with. The UK Supervisory Authority (i.e. ICO) will be the ‘lead’ for many international organisations; so our job will be to look at a case, come to a view, and then hope the other EU Supervisory Authorities concerned agree with our course of action. We hope the ICO’s traditional risk-based pragmatic approach prevails. However, there’s no escaping the fact that other EU Supervisory Authorities can have a very different approach to the ICO. Ultimately, it could all go to a vote of the new European Data Protection Board (EDPB) [The EDPB will be the new beefed-up Article 29 Working Party].

Nick Stringer, Digital Media Consultant

When will the new law come into force? What will the ICO be doing between now and then?

The GDPR will come into force on 25 May, 2018. The ICO has already produced a 12-step ‘what you can be doing now’ checklist for organisations. We are now working on a basic guide to the GDPR, setting out the main differences between the current and future laws. We will also be putting out guidance on the areas we think are of most immediate relevance. For example: individuals’ rights. We’ll also be working on the Article 29 Working Party work programme: it is doing work on ‘main establishment’, DPOs, ‘profiling’, and various other areas. It’s not entirely clear how national and EU-wide guidance fits together, but the ICO will do its best to ensure that there is a suite of clear and coherent guidance that answers the questions organisations keep asking us.

What should digital advertising businesses being doing now?

I refer to the ICO’s checklist for organisations. We’ll continue to publish advice and guidance on the GDPR and have developed a dedicated site.

Digital advertising has been at the forefront of the online privacy debate in the last few years. Has the sector done enough to give users greater control over their data?

The debate over behavioural advertising has been interesting – and Data Protection Authorities across Europe have taken very different approaches. I think we all need to get better at assessing the privacy risk. I think the industry has generally done well in terms of giving people ways of controlling what happens to their personal data. For example: for those people that don’t like behavioural advertising, there are ways of turning it off. I also think that the pop-ups and just-in-time techniques you’ve developed are more engaging and relevant to consumers than the long ‘t&c’ type privacy notices the GDPR requires. I think the industry is also getting better – generally speaking – at understanding where people do want to be notified and given a choice; and where they are happy for things to just run in the background.

My last thought would be that the GDPR may make you do some things that are of dubious consumer benefit, but this doesn’t stop you forging ahead and finding better ways of empowering the people whose information on which your industry relies.