arrow-downarrow-leftarrow-rightarrow-upbiocircleclosedownloadfacebookgplusinstagramlinkedinmailmenuphoneplaysearchsharespinnertwitteryoutube

Understanding the EU GDPR

The European Union’s General Data Protection Regulation (EU GDPR) will take effect this year, in May 2018. Do you understand the regulation and its impact on the digital advertising and media industries? Do you know how it will affect your business? Here is more information from IAB and some resources from the IAB Global Network to help you understand and navigate this new European regulation.

What is GDPR?

The European Union’s General Data Protection Regulation (EU GDPR) establishes new requirements on companies that collect, use, and share data about EU citizens. As of May 25, 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not, or face severe penalties. Several key changes impacting the digital advertising industry include:

  • A broader definition of personal data that includes IP addresses and cookie identifiers
  • Higher standards for establishing valid consent: Under GDPR, consent must be “freely given, specific, informed, and unambiguous” and made by a statement or by a clear affirmative action. Companies are responsible for demonstrating that consent was given.
    (Note: IAB Europe and its members are planning the creation of a consent management platform)
  • Purpose limitation: Personal data may only be collected for a specific purpose and may not be used for any new, incompatible purposes.

Download the IAB GDPR Information & Check List

GDPR Transparency & Consent Framework (Draft)

Integrity and confidentiality:

  • Right to be notified if data has been compromised – Breach notification and more secure data storage to assess data processes, prevent any breach, and detect/respond
  • Right to erase: EU citizens may require companies to delete their personal data at any time if they chose to withdraw their consent.
  • Accountability: Companies must be able to demonstrate compliance through data protection impact assessments and other procedures.
  • Stricter safeguards for transfers of personal data outside the EU

How will GDPR affect you and your business?

  • If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe.
  • Fines can be high for non-compliance with GDPR: Serious infringements can result in fines of up to 20m, or 4% of your company’s global annual revenue, whichever is higher. Advertising identifiers are now explicitly within the scope of personal data and companies that collect and use these identifiers must demonstrate a valid legal basis for doing so.
  • New obligations for demonstrating valid consent will require companies to go beyond existing “cookie banners”.

Download the GDPR Cheat Sheet (PDF)

More Resources on GDPR

Here are some links and resources with more information about the EU General Data Protection Regulation (GDPR):

Learn more about consent solutions in a programmatic environment: join the IAB Tech Lab GDPR Technical Working Group and attend related events, such as the GDPR/ePrivacy Town Hall, which happened this past February 20, 2018.

GDPR Technical Working Group    OpenRTB GDPR Advisory

GDPR Transparency & Consent Framework for Public Comment