The General Data Protection Regulation (GDPR) is due to come into force in May 2018. Every organisation operating in the digital industry must make sure it is fully aware what this means and how to be prepared for it. In this chapter of the serialisation of The Programmatic Handbook, published by the IAB UK, Yves Schwarzbart (pictured below), head of policy and regulatory affairs, IAB UK, details the privacy considerations of the GDPR and the focus on transparency and control for consumers.

The drive towards a more targeted and personalised advertising experience has – for some time – led users, regulators, and policymakers to pay increasing attention to the way companies treat people’s data, and rightly so.

Data-driven advertising models are at the forefront of the UK’s thriving digital economy. With this success come growing responsibilities and, as the sector continues to grow, so does one of its most important challenges: privacy.

Privacy is – by its very nature – a flexible concept that means different things to different people, let alone different generations. However, the concerns over privacy in the digital world are real and should be taken very seriously by everyone with a stake in our industry.

Advertising is effective when it is trusted. The industry, therefore, has an incentive to go beyond legal requirements to ensure people are comfortable with the way their data is used as the basis for a mutually beneficial relationship.

EU industry solution to provide greater consumer transparency and control 

Industry-wide solutions are already in place that seek to address some of the most pressing privacy concerns: notably, to give people greater transparency and control over the data used for interest-based and retargeted advertising.

The European initiative (often known as AdChoices) sets out good practice principles that seek to maintain pace with the fast-moving digital advertising market, so as to meet the needs of businesses and the consumers in a global marketplace. For example, the initiative was recently extended to the mobile environment to ensure people have a consistent experience, regardless of the device that they are using.

Being part of the initiative is a ‘must’ for digital advertising businesses and those that show leadership now will benefit commercially in the long run. Privacy-enhancing solutions should be integrated into products to provide consumers with greater choice and control; and marketers should ensure that their ad technology partners are involved in this initiative.

EU behavioural advertising industry initiative ('AdChoices') 

Yves Schwarzbart, Head Of Policy & Regulatory Affairs, IAB UK

In 2011, the EU digital advertising industry published good practice principles aimed at giving consumers greater transparency and control over the data collected and used in behavioural or interest-based advertising. The EU initiative is aligned with near identical programmes in the US and Canada, aiming to achieve a global approach for both businesses and consumers. At the heart of the framework is an icon that appears in or around the ads on desktop and mobile. Consumers are able to find out more about the information collected and used for targeted advertising when they click on the icon. It also links to ways for users to manage their interests, such as via privacy dashboards or ad preference managers and, importantly, to a pan-European website now available in 26 different EU languages – www.youronlinechoices.eu. The site provides helpful advice to protect privacy in the digital world as well as a control page turn off interest-based ads. The EU initiative is backed up by robust compliance and enforcement. This includes a new pan-European trust seal to demonstrate compliance to ad chain partners. The initiative has strong political support, including from the UK Government.

Further information is available at www.edaa.eu

The legal framework

The Data Protection Act 1998 (DPA) builds the cornerstone of the legal framework in the UK. The DPA is regulated by the Information Commissioner’s Office (ICO) and governs all organisations that collect and process personal data. According to the law, personal data means information that can: 1) by itself, or 2) in combination with other information, identify a living individual.

Compliance with the DPA is primarily based on eight good practice principles which any business in search advertising that processes personal data must follow. These stipulate that data must be:

1. Fairly and lawfully processed
2. Processed for the intended purpose
3. Adequate, relevant, and not excessive
4. Accurate and up-to-date
5. Not kept longer than necessary
6. Processed in line with individual’s rights
7. Kept secure
8. Not transferred to non-EEA countries that do not possess adequate data protection rules (determined by the EU)

Organisations also have to be aware that the processing of sensitive data, e.g. health information or political orientation, is subject to stricter legal obligations (i.e. explicit consent).

Designed to complement the Data Protection Act, The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) lay out more comprehensive rules specifically for electronic communications. PECR derives from the EU ePrivacy Directive (more commonly known as the ‘cookie law’) and has posed key challenges for the digital advertising industry. The most prominent of these is the requirement to obtain consent for using all technologies – including, but not limited to cookies – that store information or gain access to information on a user’s device.

A look into the future – the GDPR, Brexit, and the future of the ‘cookie law’ 

It is common for laws to be adjusted to new realities. The most recent development in the field of privacy regulations concluded in April 2016 with the formal adoption of the EU General Data Protection Regulation (GDPR).

The GDPR may, in some cases, bring significant changes to the industry. For example, the new rules will likely bring more ‘advertising data’ into the ‘regulatory net’ by making clear that an online identifier can be personal data to reflect changes in technology and the way organisations collect information about people. The GDPR will also bring new challenges with respect to processing this data lawfully, e.g. by strengthening consent requirements.

The GDPR will apply directly to the UK from 25 May 2018; and Government has confirmed that the new law will be fully implemented in the UK, despite Brexit. However, the UK could seek to make adjustments to the new data protection framework once it has left the EU. In any case, what’s important for the industry is that the GDPR makes clear that – in almost all circumstances – companies that process the personal data of individuals based in the EU will have to comply with its rules regardless of where the business is located.     

The EU has also recently published a proposal to update the ePrivacy Directive (the ‘cookie law’) to ensure it is aligned with the GDPR. It’s unclear what the final outcome will look like as the proposal will now have to clear the legislative process at EU level. However, it is important for the industry to monitor its progress closely, as it has the potential to increase future privacy challenges beyond those brought in by the GDPR, even in light of Brexit.

The IAB continually updates their concise fact sheets on these issues and have recently issued a detailed briefing for members on the GDPR.

Five things to do to prepare for May 2018

1. Get GDPR proficient: Familiarise yourself with the news rules and what they might mean for your organisation. Raise internal awareness: changes are likely to be needed. It’s also important to record all the work you are doing to prepare for the GDPR as it places a big emphasis on accountability.

2. Designate a responsibility lead: Assign responsibility for transitions to a member of staff within your organisation. They should bring together key departments / teams and have senior buy-in. They should also be allocated budget and resources for an assessment and any solutions required.

3. Develop a compliance roadmap: Take stock / assess current practices, technologies and workflows, as well as any existing privacy solutions (e.g AdChoices).

4. Engage with key trade bodies: The ICO suggests keeping engaged with key trade bodies, such as the IAB, as it will be working closely with them in the implementation of the GDPR.

5. Follow your local Data Protection Authority (DPA): They will be a valuable source of guidance. For example, the UK ICO has a dedicated section of their site for the GDPR – www.dpreform.org.uk