Beginning May 25, 2018, a new law will greatly affect how adtech companies comply with the collection and processing of personal data. The law, the General Data Protection Regulation (GDPR), is actually a European Union law, but it could have far-reaching effects beyond European borders, as U.S.-based companies will have to comply with the new regulation when doing business within the EU.
Beyond Europe, the law will also apply to any business where their data processing relates to the offering of goods and services to EU-based people or the monitoring of online behavior — including tracking used for interest-based marketing — within the EU. That is far reaching and will affect most every adtech company and their clients, the world over.
The law replaces an earlier law, the EU Data Protection Directive, which only applied to those entities which processed personal data on equipment located within the EU. Once enacted, GDPR will apply to any company that uses data to offer goods and services or uses data to track online behavior within the EU regardless of the company’s location.
The GDPR contains many of the basic stipulations of the original directive but includes changes that will have a meaningful impact on how businesses deal with personal data. Under GDPR, data processing will need to comply with six principles and satisfy at least one processing condition.
Briefly, these conditions are: Data must be processed in a transparent fashion (consent must be given), collected and used for a specific purpose and only that purpose while maintaining that data in an accurate, secure manner until such time its specific purpose of use has expired. It must then be deleted.
Conditions allowing the processing of data includes personal consent, which is necessary for the implementation of a contract, compliance with a legal obligation, protection of an individual’s vital interests or in order to perform a task by the entity holding the data.
Some of these processing conditions can be quite onerous. If we look at consent, according to GDPR Article 7, consent requires specific demonstration of consent by the data collector, collection using clear and obvious distinction from other matters, a provision for the data subject to withdraw their consent at any time, and proof the data is conditional upon or necessary for the completion of a contract or provision of a service.
Along with the above-mentioned rights given within the GDPR, people will be protected by additional rights including the right to be forgotten, the right to restrict processing, the right to object or curtail the collection of certain types of data and the right to data portability.