IAB GDPR Overview & Compliance Check List

The Evolution of the Internet, Identity, Privacy, and Tracking 1

Disclaimer: This document has been prepared by the Interactive Advertising Bureau, Inc. (“IAB”) to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice. IAB assumes no responsibility to update this document based upon events subsequent to the date of its publication, such as new legislation, regulations, and judicial decisions. You should consult with legal counsel to determine applicable legal requirements in a specific fact situation.

IAB & The General Data Protection Regulation

What is GDPR?

The European Union’s General Data Protection Regulation (GDPR) establishes new requirements on companies that collect, use, and share data about EU residents. As of May 25, 2018, all companies handling data of EU residents must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not, or face severe penalties. Several key changes impacting the digital advertising industry include:

  • A broader definition of personal data that includes IP addresses and cookie identifiers.
  • Higher standards for establishing valid consent: Under GDPR, consent must be “freely given, specific, informed, and unambiguous” and made by a statement or by a clear affirmative action.
  • Personal data may only be collected for a specific purpose and may not be used for any new, incompatible purposes.
  • EU citizens may require companies to erase their personal data at any time if they choose to withdraw their consent.
  • Companies must institute accountability and be able to demonstrate compliance through data protection impact assessments and other mandatory internal procedures.
  • International transfers of personal data outside the EU require additional precautions.
  • New fines can be high for non-compliance with GDPR. Serious infringements can result in fines of up to 20m, or 4% of your company’s global annual revenue, whichever is higher.

How do I get involved?

IAB Tech Lab GDPR Technical Working Group

The IAB Tech Lab GDPR Technical Working Group’s mission is to share information on GDPR/ePrivacy and to engage technical leaders in contributing to related solutions. The working group will draw on policy and regulatory analysis and guidance from IAB Europe and others in the global IAB network to develop and support technology and tools to facilitate legal compliance and self-regulation for the industry. The working group will also share information such as emerging technical requirements, tools, services, and research that can help companies comply with GDPR. Participation in the working group should not suffice as legal counsel.

To join the Tech Lab Technical Working Group or to learn more about the IAB Tech Lab initiatives relating to GDPR, contact Jennifer Derke, Director for Product Management, IAB Tech Lab, at [email protected].

IAB Europe GDPR Implementation Group

The GDPR Implementation Group discusses the European Union’s new data protection law, the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679, and shares best practices to agree on common interpretations and positioning on the most important issues stipulated by the law. The output of the working group will be the first European-level normative guidance on how to interpret the GDPR in the online advertising sector.

To join, contact Matthias Matthiesen, Senior Manager for Privacy and Public Policy, IAB Europe, at [email protected].

General Inquiries

In addition, we welcome the opportunity to speak with member companies to address individual questions and concerns relating to GDPR and any other international privacy developments. Depending on the individual needs of your company, we will connect you with experts from across IAB to help answer your questions and assist you with better understanding IAB’s current initiatives.

To schedule a briefing, contact Alex Propes, Senior Director, Public Policy & International, IAB, at [email protected].

Getting Ready for GDPR

What should I do?

There are a number of steps every company in the digital advertising ecosystem should take to better prepare for the European Union’s General Data Protection Regulation (GDPR). The following checklist provides a quick overview to help you in your compliance journey.

IAB GDPR Checklist

  • EDUCATE YOUR TEAM. Ensure representatives across your organization are aware that the GDPR will be enforceable on May 25, 2018 and determine whether GDPR applies to you.
  • CATALOG DATA. Catalog the personal data that your organization holds and review the GDPR’s definitions of personal data to see if this information is within scope. If so, identify a legal basis for complying with the law.
  • REVIEW POLICIES. Review all internal procedures, privacy policies, training materials, and impact assessments for compliance with GDPR.
  • ASSIGN RESPONSIBILITY. Designate someone to take responsibility for data protection compliance and ensure this individual has the necessary resources to institute meaningful changes.
  • EXAMINE CONTRACTS. Ensure contracts that relate to personal data meet all new obligations.
  • OPERATIONALIZE RIGHTS. Update procedures to accommodate subject access requests, right to data portability, right to erasure, and other new individual rights.
  • INSTITUTE COMPLIANCE. Develop all necessary compliance programs, such as privacy impact assessments, audits, human resource policies, and recordkeeping processes.
  • TACKLE TRANSFERS. Review all international transfers of personal data, determine your lead data protection supervisory authority, and evaluate whether it is necessary to participate in international compliance mechanisms, such as the EU-U.S. Privacy Shield Framework.