GDPR – FAQ

When did GDPR come into effect?

GDPR took effect May 25th, May 2018.

Who does GDPR apply to?

GDPR applies to any company that processes personal data of data subjects in EU member states, even if the data subject is not an EU citizen. It also applies to the processing Europeans’ data, even if the data subject is outside of Europe. Geographically speaking, the reaches of GDPR are extensive. Economically speaking, the fines are severe; companies can face fines up to 4% of the annual global revenue of the company, including its ultimate parent company, or €20 million, whichever is greater.

What does the processing of personal data mean?

Processing covers pretty much anything you could imagine doing to personal data; it includes collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

What are data controllers and a data processors?

Both ‘controllers’ and ‘processors’ of data have to abide by the GDPR. While the controller determines the purposes and means of processing personal data, the processor solely processes the data on behalf of the controller. For the controller, there is a cascade of responsibility when it comes to processing data, as they are not only responsible for ensuring they comply with GDPR, but are also responsible for ensuring downstream processors abide by the regulation.

What is considered personal data?

Personal data is broad under GDPR and includes any information related to an identified or identifiable natural person. Identification can be direct, like a name, or indirect, like a phone number, cookie ID or IP address. GDPR also covers pseudonymized data, which is defined in Article 4(5) as:

…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information…

Pseudonymization strips out the identifying portions of the data and replaces them with artificial identifiers, or pseudonyms. For example, you could replace a name with a unique number to pseudonymize it, rendering the data less identifying. However, GDPR is forward looking in that it not only covers whether pseudonymized data could be reasonably tied back to an individual now, but it also covers future methods for singling out the data subject. Thus, even pseudonymized data is subject to the scrutiny of GDPR. Only truly anonymized data that is impossible to reverse engineer and identify someone falls outside of the scope of GDPR.

It’s important to remember that processing personal data is not illegal under GDPR, but rather requires the use one of the six legal grounds for processing data and the provision of certain rights.

What are the six legal grounds for processing data?

Legal grounds for processing data include:

  • Consent from the data subject
  • Legitimate interest of the data controller
  • Performance of a contract to which data subject is party
  • Controller’s compliance with a legal obligation
  • Protection of the vital interests of a natural person
  • Public interest / Controller representing official authority

The first two will be the most applicable to companies in the adtech industry, so we’ll focus there.

What is consent?

Consent is a statement or clear affirmative action signifying agreement to the processing of personal data. It must be:

  • Freely given – genuine choice, no duress
  • Specific – no blanket consent
  • Informed – full transparency
  • Unambiguous – no doubt as to meaning of action
  • Affirmative – silence or inactivity (e.g., not using a provided opt-out) cannot be consent

Additionally, controllers must be able to demonstrate that the data subject has consented to the processing of his/her personal data. Users must also be able to revoke consent at any time and doing so must be as easy as granting consent in the first place.

What is legitimate interest?

“Legitimate interest” is one of the more ambiguous and confusing concepts within GDPR. Here is how it reads in Article 6(1):

…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

While legitimate interest casts a broad umbrella that can include several activities key to adtech including marketing, there is a real balancing test to be done between the legitimate interest of the controller and the fundamental rights and interests of the data subject. The balancing test weighs the reasonable expectation data subjects have regarding how their data is processed in a given situation against the legitimate interest the business has to process their data.

As a basic example, when a user goes to a non-subscription based website (read ad supported), they can reasonably expect to receive targeted advertising on the basis of anonymized segments in exchange for that free content. However, it would surpass reasonable expectations and infringe on privacy if the website collected and sold non-anonymized personal data to third parties without disclosing it to the user.

What rights to data subjects have under GDPR?

Regardless of what basis you choose for processing, companies are still required to notify the data subject of the collection and processing of their personal data. The information must be provided in a concise, transparent and easily accessible format. In addition to having the right to access the data you’ve collected on them, data subjects also have the following rights as it relates to their personal data:

  • The right to rectification or erasure
  • The right to restrict or object to processing
  • The right to data portability (essentially to move that data onto another platform – like a competitor’s platform)
How will Thirdpresence comply with GDPR from a technical perspective?

We have implemented all required changes to our platform to make sure that we are compliant with the GDPR legislation.

Does Thirdpresence have a DPO (Data Protection Officer)?

Yes, our DPO is CFO Tuomas Itkonen.

What is in place today in Europe?

Today, most EU member states’ have their own national laws based on the 1995 EU Data Protection Directive (DPD) – including the UK Data Protection Act 1998. In addition to these, the directive commonly referred to as the “Cookie Law” was adopted in 2011 and is pervasive across the EU. One of the goals of GDPR is to modernize and standardize protection across the EU to avoid the cumbersome differences in privacy law between member-states.

How will Brexit affect the need for the UK to comply with the GDPR?

The UK Government recently stated that GDPR will become part of UK law following Brexit. It is possible that they will make changes following Brexit, but given the UK’s reliance on the flow of data and commerce with the EU, changes are expected to be minor.

Is the EU the only market that GDPR applies to?

As of now, yes, unless you count the UK. The EU is the market that is most sensitive to privacy issues and has historically been the first-mover with new regulation. That said, other markets may follow the EU’s lead and revisit consumer protection and privacy policy regulations.