GDPR mayhem: now what?

This past Friday, 25 of May 2018 everyone woke up to a great hype – GDPR law came into force.

 

Many blogs and outlets have warned us about it, but what does it actually mean and what’s to come now for businesses, affiliates and natural people? Let’s talk all the details and nuances.

 

What is GDPR and how to come about it?

 

GDPR or General Data Protection Regulation replaces the previous Data Protection Directive 95/46/EC. It is a law targeting data processing by an individual, a company or an organisation of personal data relating to individuals within the EU and its Economic Area (EU member states + Croatia, Iceland, Liechtenstein and Norway) as well as the export of personal data outside the EU and EEA. It aims primarily to give citizens and residents control over their personal data and make the regulatory environment for international business  easier by unifying the regulation within the European Union.

 

“The twofold aim of the Regulation is to enhance data protection rights of individuals and to improve business opportunities by facilitating the free flow of personal data in the digital single market.”

 

You can read the full text of the regulation here

Or watch a 2 minute long video compiled by BBC

 

What is considered personal data?

 

According to the European Commision website, personal data refers to: “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”

 

It’s also quite important to note, that the law protects all personal data regardless of the technology used for processing and storing (so, both manual and automated processes from IT systems and video surveillance to paper)

 

Examples of personal data

 

• a name and surname;
• a home address;
• an email address such as [email protected];
• an identification card number;
• location data (for example the location data function on a mobile phone)*;
• an Internet Protocol (IP) address;
• a cookie ID*;
• the advertising identifier of your phone;
• data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

“This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system…regardless of whether the processing takes place in the Union or not…”

 

However, it doesn’t apply to individuals using data for personal reasons or activities carried out in one’s home or in the course of an activity which falls outside the scope of Union law, but once personal data is being used outside the personal sphere (e.g. socio-cultural or financial activities) law must be respected.

 

What does it mean for affiliates?

 

Regardless of the you generate traffic as an affiliate this law may heavily affect your business as the consumers data (the information affiliate industry heavily relies on) that wasn’t considered personal data, now may classify as such under the updated GDPR regulation.

“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

“The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent,” said European Center for Digital Rights, or simply NOYB in a statement.

 

What now?

 

There are several way to come about it and some of them are already gathering a laughing crowd sharing freshly made memes on twitter.

As established earlier, the law is implied to give more power to the “data subjects” or to your clients/customers/natural people.

“The  data subject  shall have the  right not to be  subject to a decision  based solely on automated processing,  including profiling, which produces legal  effects concerning him or her or similarly significantly affects him or her.” In an accusation of breaking the GDPR Facebook and Google faced on day ONE, NYOB leading activist, lawyer Max Schrems said: “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”

This means businesses can still collect information as they did before, however now, they will require legal basis to process personal data. You can find details of all the legal bases here.

That’s why you have probably been bombarded with “We have updated our privacy policy/terms of service/terms and conditions in accordance with the new regulation, please review them…” messages from every social media/website you have a set up account on.

Oh, and the “I agree” checkbox is not allowed anymore.

YES, it’s everywhere.

 

 

Moreso, even though GDPR is not retroactive, the “data subject” (any natural person) has a right “to be forgotten” and request their personal data to be erased without undue delay.

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.” In case of objection to processing, any personal data should be removed or not used for direct marketing upon request especially if:

• this data has been made public
• is either no longer necessary to the purposes for which they were collected or processed
• has been unlawfully processed
• the “data subject” withdraws consent

 

The Cookie Law

 

As mentioned above, GDPR considers cookie ID and emails to be personal data. Moreso, the ePrivacy Directive, perfectly coexisting with the new law, adds SMS and calls under the umbrella of marketing consent. However, the ICO has made it clear that for “cookies and similar technologies” full user consent is required. Thus, the ePrivacy Directive remains in place regardless of the legal basis used for processing personal data. Simply put, publishers should be reviewing their consent mechanisms along with ICO guidance and making changes accordingly.

The advertising industry’s transparency and consent framework

Compiled back in April, this framework is targeted towards the “first parties” aka publishers, online service suppliers, with intention to “standardise the capture of user consent for data processing and “signal” this information across the advertising supply chain”. More on that here.

“A key piece of the Framework is a unique registry of third-party data controllers, a Global Vendor List, on whose behalf consent may be requested by the first parties that have the direct interface with users.”

Choosing to feature this consent on your website may get you an access to free versions available online. Besides, this is not the only option available online, therefore we advise you to assess other possible solutions fit for your business or do like any social media this past weekend – spam everyone and their mother about your updated terms and conditions through with an email blast and dozens of push notifications.

• Okay, that’s informative and all, but what steps can I take to ensure compliance of the new law?
• Thank you for asking, please proceed scrolling to a small suggestions list we have compiled for publishers

 

Publishers To Do list:

 

1. Assess how GDPR impacts your business and taking into consideration the measures taken to comply with the rules audit your IT infrastructure and decide on the most appropriate legal basis for collecting and processing personal data from site visitors.
2. Refer to your individual affiliate network and/or platform for any specific guidance or requirements to comply with GDPR.
3. Upgrade privacy policies/terms of services/terms & conditions and cookie notices to provide transparency and upgrade consent capture.
4. Like Twitter, granular controls can be made where people can opt out of targeted advertising

Disclaimer! This communication should not be read as legal advice.

Keep in mind: Companies that fall foul of GDPR can be – in extreme cases – fined as much as 4% of the company’s total turnover, though no more than € 20 million.

 

And here are some more useful links related to the topic:

• You can read the full 88 pages long regulation here

• Or a shorter 34 pages long version here (that is leaving out he mechanics of how the administrative entities should interact)

• More answers to some useful questions here

 

P.s. We have updated our Terms and Conditions too 😀