What is GDPR?
The European Union General Data Protection Regulation (GDPR) is a new legal framework regulating the use of personal data in all European markets and will come into force from 25 May 2018, replacing existing national data protection laws. Updating the currently valid European Union Data Protection Framework, GDPR aims to give individuals more control over their personal information from a consumer perspective. In this context, companies will need a legal basis to process personal data. There are currently six legal bases, but 'consent' and 'legitimate interests' are mostly used in the digital advertising industry. GDPR will further strengthen the terms of the concept of 'consent'. Consent contains very high standards – which cannot be combined with the Terms and Conditions – in order to form a legal basis for the processing of personal data; furthermore, the user will need to give 'consent' clearly and with an affirmative action. In order to process 'sensitive' personal data such as racial and ethnic origin or sexual orientation, the explicit consent of the user will be required. In all cases, proof of consent will be recorded so that companies that are not directly involved with the user will have to find ways to obtain consent indirectly. With GDPR, sanctions will also increase. For violations of the law, companies can be fined up to €20 million or 4% of their annual turnover, whichever is higher.
Who does the GDPR affect?
GDPR regulates the use of all kinds of personal data, including the way companies collect, share and use data. If a company processes personal data relating to an individual residing in the European Union (the individual does not need to be an EU citizen), the law will apply regardless of where the business is based. All companies involved in digital advertising – advertisers, agencies, ad networks, data/technology companies or publishers are covered by the law. In addition, GDPR provides special protection for children's personal information. If a company wishes to collect and process information from a child under the age of 16, it will have to obtain the express consent of the child's parents or guardians.
When will all this change?
The new GDPR framework will come into effect from May 25, 2018. It is recommended that businesses related to digital advertising develop and implement roadmaps before this date by understanding the items to be changed and their meanings.
How does IAB Turkey work on this issue?
IAB Turkey organized 2 information meetings on the Personal Data Protection Law with the explanations of Kağan Dora and Mert Ulusoy from CDA Hukuk and Erdem Aslan from BTS Legal. Likewise, at the Member Information Meeting held in December 2017, the Personal Data Protection Law No. 6698 (KVKK) and GDPR were discussed. Another comprehensive meeting will be held in April to inform the industry on KVKK and GDPR issues, and Erdem Aslan, one of the lawyers of BTS Legal, will provide detailed information on the subject. In addition, the IAB Turkey Programmatic Working Group and the Industry Standards Executive Board closely follow the current developments on the subject.
In order to closely follow the compliance processes for the new regulation, it is recommended to follow the steps below:
2. Recording the compliance process
3. Legal basis for processing personal data
6. Communicating personal information
7. Rights of individuals
8. Data controllers and data processors
9. Data breaches
10. Data Protection by Design and Privacy Impact Assessment
11. Data Protection Officers
GDPR comes with heavy fines – up to 4% of annual global turnover. This is not the only reason decision makers need to be knowledgeable about the new law. Some processes - even some products - may have to change due to GDPR. For the first time, many digital advertising businesses will have to comply with a set of data protection rules as comprehensive as the GDPR. In order to increase awareness on the subject, different departments and all stakeholders need to come together and create a compliance roadmap together. It should also not be forgotten that all steps towards GDPR concern all companies doing business in the EU, so your work team with which you do business abroad should also be involved in the process at full speed.
Recording the compliance process
Accountability is the main theme of GDPR. In order to be accountable, it is necessary to record what kind of personal data is stored and to identify any risks that may occur beforehand. Let's start from this point
ac is possible. The definition of personal data in GDPR covers more than personally identifiable information. Thus, data points that are outside the scope of current data protection legislation are also included in the scope of GDPR. This means that unique identifiers (eg Cookie ID or advertising ID) are not considered 'anonymous' data. Therefore, it can be thought that the simplest solution is to treat all online identifiers as personal data, so that the picture of where the data comes from and with whom it will be shared can be understood more clearly. In order to better analyze this process, information audit can be performed and data application processes can be followed continuously.
Legal basis for processing personal data
Under the GDPR, companies are required to have legal verification to process personal data, including data collection. GDPR provides six legal bases:
• Legal compliance (with another law)
• Protection of one's vital interests
• Public interest
• Legitimate interest
Two legal bases are frequently used in digital advertising: consent and legitimate interest. In this way, different ways of processing data can be evaluated and it can be determined which legal basis is more suitable for which method. Depending on what kind of processing is intended or whether the data is to be processed for a different purpose, a combination of consent and legitimate interest may also be used in some circumstances. According to the current ePrivacy Regulation (cookie law), consent is required to access or store data on the user's device. As of May 25, 2018, the stricter consent requirements will come into effect with the GDPR and will apply in such cases.
Consent is the most important step of GDPR. Although consent is the most used basis for companies to process personal data, it does not constitute an appropriate basis in many situations. Compared to existing rules, GDPR makes the consent conditions even tougher. In general, consent should be given freely, specific, informative and unambiguous. In cases related to the processing of sensitive personal data, express consent is required. All of the above illustrates the obligation for businesses to prove that consent was legally obtained. Verification of consent becomes very necessary from a legal point of view, especially in cases where another company has obtained consent on your behalf. To understand under what circumstances GDPR's consent requirements apply, you can review the technical consent guide published by IAB Europe for the European digital advertising industry. For detailed information on the subject, at www.advertisingconsent.eu; You can also find the draft of the guide published by European regulators on 12.12.17 here.
Blurring - Pseudonymisation
It is the differentiation of personal data with a certain algorithm for analytical purposes. The difference from anonymization is that the original data can be accessed again, using the same algorithm when desired. For the first time, GDPR incorporates the concept of pseudonymisation into EU Data Protection Law. Pseudonymisation can be defined as the merging of two related concepts. Pseudonymisation can be processes that data go through without being directly connected to an individual (for example, encryption, addressing, or password system). Personal data that does not contain any identifying details may be blurred at any point in the data collection process. For example, a "random" cookie ID can distinguish but not directly identify the user. Regardless of which blurring method companies use, it should be noted that in both cases the data used is defined as personal data by the GDPR. The concept of blurring has many clear benefits, especially for companies that increase personal privacy and security, as well as partially relieve some of the obligations of the GDPR (clause 7 - individuals' rights for details). Blurring can also act as a balancing test in cases where it is desired to consider any personal data processing within the scope of legitimate interest.
Communicating personal information
Another key element of GDPR is transparency. Privacy rules and notices have been used in our industry for a long time. GDPR demands varying levels of detail, from whether the data is collected directly from the individual himself. In all cases, your statement should be - relative to others - concise, easily accessible and written in clean, simple language. It should also be clearly stated which legal basis is used and what is the legitimate interest in processing the data. In the first stage, it is an important step to look at the privacy statements used in the current situation and to determine what needs to be changed.
it could be. All businesses in the business of collecting and using data are required to notify this information to all relevant third parties, starting with the publishers. The ICO's guide to privacy statements, transparency, and control can be a good starting point. In addition, the 'right to be informed' section is one of the issues that need to be examined regarding the GDPR interpretation of the ICO.
Rights of individuals
GDPR makes the rights of individuals more comprehensive. These rights are:
• Right to be informed (see Article 6)
• Right of access
• Right of rectification
• Right to be erased (right to be forgotten)
• Transaction limitation right
• Right to data portability
• Right of objection (right of exit)
• The right not to be subject to automated decision making
You should ensure that these transactions are controlled in order to adequately respond to any requests from individuals. If you blur the data; You may waive the rights of access, rectification, withdrawal, restriction of processing, and data portability unless the individual actively provides additional information to you so that you can identify him.
Data controllers and data processors
GDPR retains the concepts of 'data controllers' and 'data processors' in the current data protection law, which separate the different job descriptions required to process personal data. Data controls – individually or in partnership with other controllers – define companies that control who and why data is processed, and data processors define companies that work on behalf of data controllers. Under current rules, only the controller, not the processor, is responsible for data protection compliance. GDPR expands legal obligations covering data processors. Thus, after May 2018, data processors may also be subject to legal actions and sanctions (up to 4% of global annual turnover) that may be imposed by Data Protection Authorities. Obligations concerning data processors under GDPR are as follows:
• Data agreements – a written agreement between data processors and controllers
(or other legal act). This deal
subject, duration of the process, purpose, type and category of personal data,
specifies the obligations and rights of the controller.
• Data security – data processors should take the necessary security measures and
should inform the controllers without any delay.
• Side-processors – processors can only be side-processed with the written consent of the controller.
can use processors. Suppliers also use side-processors
should give the data controller the opportunity to object to changes.
• Controller guidelines – data processors may only process personal data with the controller.
can operate in accordance with its instructions.
• Accountability – data processors keep records of all data processing actions
should keep them and comply with the requests of the Data Protection Authorities.
• Data Protection Officers – data processors in certain situations
can appoint an officer.
• Cross-border transfers – processors associated with cross-border transfers
must comply with the restrictions.
Considering that data controllers and data processors will be subject to certain obligations with the GDPR, the roles of both parties should be well defined. Even during a brand's campaign, these roles can change. In cases such as determining your own role in target audience segmentation, it is recommended to review the ICO (Information Commissioner's Office) guide. Are you doing this alone or with guidelines from brands or publishers? Does it vary from customer to customer? In all cases, agreements should be created with your business partners and existing agreements should be checked to ensure they comply with GDPR requirements.
Personal data breaches can have many reputational or financial consequences. Therefore, various processes should be organized for the detection, reporting and investigation of data breaches. Unlike existing rules, GDPR data controllers must report any identity theft or privacy breach to the Data Protection Authorities. In the event of any breach, data processors must inform data controllers without delay. Identifying situations that require information in advance may be the first step to take in this regard.
Data Protection by Design
(Privacy by Design) and Privacy Impact Assessment (PIA) Privacy Impact Assessment – or Data Protection Impact Assessment as GDPR would define – play an important role in the new rules. With the new law, it will be a legal obligation to make these assessments in high-risk situations. These considerations are vital, for example, when a new technology is used or where a profiling operation may affect individuals.
will carry it. It is not yet clear whether this requirement will cover blurred data. For detailed information: Privacy Impact Assessments (PIAs) GDPR also regulates the principles of data protection from design, privacy by design - the systematic development and implementation of the projects developed in accordance with privacy and data protection from the beginning. Either way, it's helpful to conduct privacy impact assessments for any new products or services you want to bring to market.
Data Protection Officers
GDPR requires the appointment of a data controller in cases where the core activities of the data controller or processor, by their nature, scope and/or purposes, require regular and systematic monitoring. If this applies to your company, you should appoint an officer to be responsible for your GDPR compliance. It is also important to determine where this person fits into the business structure and management.
Many businesses in our sector carry out their operations across Europe. In such cases, you should determine which Data Protection Authority is your main authority. More importantly, you should also consider data transfer options to countries outside the EU. Even if you do not process personal data, you must do so before GDPR. GDPR proposes several options for data transfer across borders. The European Commission provides adequate data protection standards for transfers to certain countries. You can find the list of these countries here. Other options, such as standard contract terms, also remain valid.