GDPR News Center News for 10-25-2018

EU GDPR Webinar: The IT Manager’s guide to GDPR – Getting your department up to speed and ready

GDPR Compliance

The regulation increases the level of control EEA citizens and residents have over their personal data in the new digital age and presents a more unified environment for international business across Europe. The Regulation impacts any business that receives, processes, stores or transfers personal data of EEA-based individuals, regardless of its location. Personal data is defined broadly and typically includes information relating to an individual such as name, email, location, online identifier, IP address, home address etc. New rights are given to individual data subjects concerning the personal data being stored, including the right prior notification of what data is being used for, how it will be processed and when it will be deleted. As a result, most businesses dealing the European market have had to review and update their data practices and privacy policies. 

BlueSnap & the GDPR. BlueSnap has been focused on completing its General Data Protection Regulation compliance efforts. To enable BlueSnap merchants to continue accepting orders from individuals based in the European Economic Area from that date onwards, the GDPR compels us to put into effect a Data Protection agreement containing mandatory provisions for all merchants wherever they are based. We therefore issued a Data Protection Addendum effective for BlueSnap and all merchants as from 25th May 2018. Review the new Data Protection Addendum here: https://home. 

In order to cover the aspect of data transfer from the European Economic Area to the US, BlueSnap has been certified on Privacy Shield since Q3 2016. We also added certification under the Swiss-US Privacy Shield scheme in 2017 and are currently finalizing updated data processing agreements with relevant parties involved in the processing, receipt, and storage of personal data. We strongly advise merchants that receive shopper details from EEA-based individuals to take immediate steps to ensure their own data management practices are in compliance with the GDPR, and that other third party services used in addition to BlueSnap, are also compliant. 

Keywords: [“data”,”BlueSnap”,”individual”]

‘Everyone is breaking the law right now’: GDPR compliance efforts are falling short

The arrival of the General Data Protection Regulation a month ago led to a flurry of activity, clogging email inboxes and flooding people with tracking consent notices. Experts say much of that activity was for show because much of it fails to render companies compliant with GDPR. Part of the issue, experts say, is the vague regulation has been interpreted in wildly different ways. GDPR consent-request messages vary wildly across sites. There are default pre-ticked opt-ins, buried options that require users to hunt for them, consent banners with information only available at a further click but no button to reject, and implied consent approaches. 

Others have simply reskinned cookie-banner messages required under the existing ePrivacy directive. A tumultuous few weeks after the law’s arrival on May 25, in which programmatic ad volumes plummeted mostly as a result of Google’s last-minute GDPR policy changes, programmatic spending is returning to pre-GDPR levels. GDPR has been criticized for being vague and open to interpretation, which is what led to such disparate consent-gaining methods. Publishers across Europe are divided between those that have taken softer legitimate interest-based approaches or opt-out methods to claim compliance, while others have gone the harder consent-based route that requires people to opt in. Bloomberg and Forbes appear to be taking strict active consent approaches, while others like the Guardian and MailOnline are running consent banners. 

Several publishers have divided explainers on their cookie use into those used for advertising and tracking, and those used for site analytics – though users aren’t always able to pick one and reject the other; in many cases, it’s all or nothing. Others are simply hoping to stay under the radar until they have figured out how to be compliant in a way that doesn’t damage the business model. Publishers went on a soul-searching mission when ad blocking reached crisis levels in 2017. 

Keywords: [“publishers”,”consent”,”GDPR”]

80 Percent of Companies Still Not GDPR-Compliant

Several weeks after the deadline for General Data Protection Regulation compliance, the vast majority of companies are either still working on it or have yet to begin the process. That’s according to the latest research from TrustArc, which surveyed 600 IT and legal professionals responsible for privacy at companies required to meet GDPR compliance in the United States, the United Kingdom and the European Union – one month following the May 25. Only one in five companies surveyed believe it is GDPR compliant, while 53 percent are in the implementation phase and 27 percent have not yet started their implementation. EU companies, excluding the U.K., are further along, with 27 percent reporting they are compliant, versus 12 percent in the U.S. and 21 percent in the U.K. 

While many companies have significant work to do, nearly three in four expect to be compliant by the end of this year and 93 percent by the end of 2019. While many companies still have a long way to go, a comparison to August 2017. About one in four companies spent more than $500,000 to become GDPR-compliant, while one in three plan to spend that amount on compliance efforts between June and December 2018. Percent of U.S. companies spent more than $1 million on compliance vx. 10 percent for U.K. 

and 7 percent for EU companies. Despite difficulties in becoming GDPR-compliant, 65 percent view GDPR as having a positive impact on their business, while 15 percent view the regulation as having a negative impact. Meeting customer expectations was the main driver to become compliant, much higher than concern for fines. Complexity of GDPR posed the biggest challenge to compliance. The vast majority said data privacy will become more important at their companies post-GDPR deadline, and 80 percent of companies plan to increase their spending on GDPR technology and tools to maintain compliance. 

Keywords: [“percent”,”companies”,”compliance”]

GDPR News Center News for 02-11-2018

GDPR: A Shiny Sword In The Fight For Audiences

A lot has already been said about how General Data Protection Regulation and ePrivacy offer an opportunity for publishers and advertisers to kickstart a new, more truthful and respectful relationship with consumers, leaving the polemics and the ad-blocking wars behind. While some publishers will regain control of their relationships with their audiences, complying with GDPR will come at a high cost, in terms of the required skills and effort and the potential short-term revenue hit. This is why advertisers and publishers must thoroughly reassess their technology and data partners while preparing for GDPR. Agencies and ad tech vendors must listen to their clients’ needs without the distraction of parallel agendas in the background. The obsession with scale brought agencies and ad tech companies to a point where individual clients and their audience data were just a small piece of their main agenda: market domination. Due to their need to be GDPR-compliant, it’s their responsibility to review their strategies, especially for their ad stacks and data. Tech, data, GDPR and user experience are tightly intertwined. One big worry, especially among publishers is that GDPR will cause third-party data availability to shrink due to a long daisy chain of opt-ins and permissions required. Every challenge is a solution opportunity; GDPR represents an amazing excuse for publishers to review their first- and second-party data strategies. Allying with users could mean diverting budget from third-party data providers and reinvesting it in benefits for users in exchange for providing accurate data about themselves. It’s a radical turn from hunting for data to having user data provided by the “Targets.” Those previously treated as “Prey” become partners and share the benefits in the common interest of both. No, it won’t mean additional costs because the money would be shifted from buying often nontransparent or low-quality data to creating strong deterministic profiles and reinforcing the bond with customers and users. Yes, we all agree that the “Digital media pact” should be free content in exchange for data but the way in which the industry has managed it means the status quo is unsustainable for much longer, unless the relationship is redefined. Consumers and users providing data also bring an accuracy never had before, without compromising the relationship with the user. “GDPR’s rule introducing user data portability, which gives consumers more control over obtaining and reusing their personal data, will further reward brands and publishers with stronger and fairer audience strategies, especially those that best implement a balanced value exchange. A tighter and more meaningful bond with users and customers will incentivize their submission of additional personal data”ported’ from third parties. GDPR’s true value can be brought to life only by reinforcing the axis between brands, publishers and consumers in these kind of one-to-one data partnerships.

Keywords: [“Data”,”publishers”,”tech”]

IAB UK GDPR checklist

Many IAB members may find it simplest to treat all online identifiers as personal data, so make sure you understand where the data comes from and get a clear picture of who you share it with. Organisations require a justification to lawfully process personal data under the GDPR, including for collecting the data in the first place. The GDPR introduces the concept of pseudonymisation for the first time into EU data protection law. In either case, companies must remember that whatever form of pseudonymisation you use, the data remains personal data under the GDPR. That said, there are obvious benefits to pseudonymisation as a privacy and security-enhancing measure, not least as companies that pseudonymise data are alleviated of some of the GDPR’s obligations. The GDPR requires different levels of detail depending on whether you obtain the data directly from the individual or not. The GDPR maintains the notions of ‘data controller’ and ‘data processor’ found in current data protection law to distinguish between the different roles organisations play in the processing of personal data. As a reminder, data controllers are organisations that decide – either alone or jointly with other controllers – who and why personal data is processed, whereas data processors act on behalf of the data controller. Importantly, the GDPR extends statutory obligations to data processors. Accountability – processors must maintain records of data processing activities and make these available to the relevant Data Protection Authority on request. Compared to existing rules, the GDPR requires data controllers that has suffered a breach where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach, to notify their Data Protection Authority – the ICO in the case of the UK. Data processors are required to notify the controller without undue delay of any breach they have incurred. Privacy Impact Assessments – or Data Protection Impact Assessments as the GDPR calls them – play a significant role in the new rules. The GDPR stipulates that one of the criteria to decide whether you need to designate a Data Protection Officer is where ‘the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale’. Importantly, you should also think about your options for transferring data to countries outside the EU. You might have to do this for the first time as prior to the GDPR, you may have not processed personal data. The GDPR offers a number of options to transfer data across borders. The UK Government will also consider an agreement with its US counterparts to ensure the continued flow of data between the two countries as the UK won’t be able to benefit from the EU – U.S. Privacy Shield once the country has exited the EU..

Keywords: [“data”,”GDPR”,”process”]