GDPR Compliance Guidelines: 9 Data Protection Commandments
- What is GDPR (general data protection regulation)?
- The good the bad and GDPR: the overview of the industry
- GDPR best practices: consent reliance
- 1. Check your privacy notices
- 2. Document the use of personal data
- 3. Refresh the consent
- 4. Pay attention to the children’ safety
- 5. Make your team a part of it
- 6. Ensure the individuals’ rights practically
- 7. Prepare law GDPR basics
- 8. Prepare scenarios against data breaches
- 9. Assign a data protection officer
- Wrapping it up
May 25, 2018 - the official GDPR compliance date when the new general data protection regulation rules will finally come into effect. This date will become the biggest opportunity for many companies to strengthen their image while for others GDPR data protection might signify serious restrictions and fines that may lead to the total business termination.
While large business hectically tailor their daily practices to fit the GDPR compliance in time, small and medium-sized and start-ups may stay oblivious of GDPR data protection demands or doubt the data protection directive applies to them at all. Netsparker's data says, 48 % of US companies along with 20% of EU-based ones still have no idea whether GDPR compliance should be their topic of concern this year.
What is GDPR (general data protection regulation)?
General Data Protection Regulation is a part of the EU data protection reform adopted in April 2016 by European Commission, that strengthens existing rights and gives citizens more control over their personal data when it comes to such fundamental rights as:
The right to access personal data. The very moment GDPR data protection comes to an effect every user can freely request a full copy of their personal information from the company's servers.
The full GDPR overview makes it clear that the company will have to explain the mechanisms of information processing in detail, all possible purposes it will be served, and the third parties it might be shared with. Upon reading the regulation it will be up to users whether they choose to provide consent for processing their data.
Right to be erased. According to GDPR requirements, the processing data consent users provide can be withdrawn by them any moment they deem relevant, as well, GDPR explained, for the sake of the user convenience, the user data now should be totally portable or transferable.
The good the bad and GDPR: the overview of the industry
GDPR key requirements affect any business that operates in Europe or processes the personal data of EU citizens. All the data controllers and processors dealing with EU residents information are required to have an official representative in the EU, regardless of their location.
For instance, by moving its international office in California from Ireland, Facebook released its non-European users from GDPR compliance accountability.
Though it still takes tens of millions of dollars to update technologies, hire staff, and data protection officers responsible for GDPR compliance, in Google, Facebook, Amazon, and other large corporations GDPR implementation goes much smoother than it can be for small companies that don’t have sufficient resources.
The data subject is also sustenance for the ad tech, without it companies simply won’t be able to target appropriate customers on the appropriate web sources.
Obtaining personal consent might be borderline impossible over the fact that each impression is a product of collaboration with dozens of third parties who need to adopt GDPR compliance as well.
The companies will be naturally pushed to select only GDPR compliant partners, and those who will refuse to join EU general data protection will eventually have to shut down or be penalized by the supervisory authority with up to 4% of their annual turnover.
GDPR best practices: consent reliance
GDPR means that the strictest period of the market regulation must be expected right after the new law will become active. Still, as stats show, a good half of those advertisers and publishers, who claim to be already GDPR compliant, do not always understand if they’re responsible for consent capturing.
There is a reliance on publishers and advertisers to obtain the consent correctly, according to the GDPR guide:
In order to ensure GDPR compliance, companies need to take a number of technical and organizational measures, that include 9 essential steps:
1. Check your privacy notices
When you decide to collect personal data, you have to make it clear to people, who you are and how you’re going to process their data, only then your policy appeals to GDPR basics.
2. Document the use of personal data
Data protection authorities suggest that fulfilling GDPR guide requirements you need to constantly maintain records of your processing activities, documenting all about user’s data:
- what personal data you hold
- where it came from
- who you share it with
Be ready to organize a data privacy audit in your organization or in particular business areas.
3. Refresh the consent
Before GDPR implementation check your existing consents and update them if they don’t meet the GDPR standards. GDPR guidelines do not oblige the company to rewrite the DPA consents automatically, you just need to revise if they correspond to the GDPR guidance.
4. Pay attention to the children’ safety
GDPR means to bring specific protection for children’s personal data, especially in the context of commercial internet services such as social networking. Assign your tech specialist to implement age verifying solutions and parental consent for any data processing activity.
5. Make your team a part of it
Ensure the GDPR is explained in every department of your company to every single employee. For proper data security management check your organization risk register and add all appropriate steps caused by law changes into your general work plan.
6. Ensure the individuals’ rights practically
Make sure the theoretical foundations of the following GDPR guidelines are fully embodied in your service functionality :
- the right to be informed about data breaches in 72 hours;
- the right to access and manage personal data;
- the right to erasure;
- the right to restrict processing;
- the right to transfer personal data;
- the right to object;
- and the right not to be subject to automated decision-making including profiling.
7. Prepare law GDPR basics
If you want to deal with EU citizens’ personal data under the GDPR compliance, you have to identify the law basis for your processing activity, document it, and update your privacy notice to explain it.
8. Prepare scenarios against data breaches
GDPR key requirements strongly recommend to notify the users in within 72 hours in case data leakage occurred or the cyberattack took place.
Data protection directive also states that you should be able to effectively detect, report, and investigate a data breach issues, companies that fail to report a breach will be fined according to the data protection law.
9. Assign a data protection officer
A data protection officer is an in-house information security professional who is responsible for GDPR data protection on the company level.
Data protection officer must know all essential procedures of data storage and transmission, carry out the implementation for data protection in full accordance with GDPR compliance.
SmartyAds believes that GDPR compliance is one of those things that will dramatically change the digital advertising sphere and undeniably increase the level of personal data protection for the EU citizens and in the world as a result.
Taking GDPR commitment as an early aim, we fully modernized our technology and products to meet the GDPR data protection framework before the deadline, presenting a picture-perfect service quality with impeccable data security for every single publisher, advertiser or partner.
Wrapping it up
Only days are left before the data protection directive officially comes to the enforcement, challenging mainly those who still haven't prepared. Do not underestimate the procedure, - failing to join the GDPR compliance may result in huge fines that only large enterprises may allow to pay.
If your current procedures cover the rights described in the DPA (the previous legislation), then the transition to the GDPR compliance must be relatively easy.
Looking at data protection law at the right angle makes it easy to understand that the right approach to EU general data protection is what can give a business a competitive advantage and position it as a company that is able to make data privacy for every customer the highest priority.
Wondering how to advertise better in the GDPR-sensitive area? Contact our specialists and start advertising in the safe data environment!
Irina Kovalenko, CMO of SmartyAds