‘Regulation won’t apply after Brexit’ – and other common GDPR misconceptions

 
Flags.jpg

While the frenzied panic to be ready for the May 25th GDPR deadline is far behind us, confusion about the new laws isn’t.

Almost two months into enforcement, many businesses remain unclear on essential details — including the definition of personal and sensitive data, and what sets the GDPR and e-Privacy regulation apart. Some are also labouring under misconceptions, such as the belief that the regulation won’t apply in the UK anymore after Brexit.

So, to enable more effective compliance and avoidance of those sizeable penalties, let’s explore the misapprehensions still circling the GDPR.

The GDPR isn’t new

Given that the GDPR is often labelled as legislation that will revolutionise data usage, security and multiple industries, it’s easy to see why the laws are frequently seen as brand new. But this isn’t true. In fact, the GDPR is an attempt to unify and better enforce existing data protection laws across the EU. Specifically, the regulation is an update of the previous EU Data Protection Directive — circa 1995 — that brings data legislation in line with the needs of the digital age and enshrines Article 8 of the European Charter of Human Rights in terms of securing personal data.  A key benefit of this is that it will bring greater consistency to what was a fragmented series of laws, thereby making compliance easier.

Applying the GDPR across different geographies

One of the biggest areas of perplexity around the GDPR is its range of jurisdiction and how companies in the global market should adapt. A major factor, for example, is that the GDPR reaches further than its predecessor to cover any company processing the data of EU residents. Plus, as a regulation, it is now law instead of a Directive that is transposed into national law with variations. This is particularly befuddling regarding the UK and its imminent exit from the EU; many firms are wondering what that means and whether the GDPR will still apply.

The short answer is yes it will; to an extent. The UK has indicated its intention to follow GDPR stipulations post-Brexit via the Data Protection Act that also arrived this year; albeit with some domestic deviations. Considering that the UK is keen to continue positive trading relations following Brexit, it is only logical that regional law will be changed, and the UK therefore won’t be exempt from EU data regulation processes.

More than just consent

Is GDPR a legal framework or consumer rights best practice? Weeks down the line from deployment, there is still a sense that the legislation will hamper firms by preventing access to data unless they win consumer consent. There is no disputing that consent is a big part of the GDPR, but it’s not everything. The legislation is actually extremely broad; containing six lawful bases for data processing, of which consent is just one. There are also other options, such as legitimate interest, whereby firms can continue to collect and utilise data providing they are thoughtful when balancing their commercial interests with the privacy interests of consumers.

GDPR at its heart is about protecting consumers’ data from fraud and preventing misuse of it by businesses. It is a well-crafted piece of legislation that allows firms to interpret it in the context of their own business and choose the processing purpose that is most appropriate for them. The requirements for its uses differ across industries — such as handling medical data compared to handling advertising data — and its breadth enables those of us in ad tech to ensure the collection and use of data is handled legitimately, sometimes by acquiring consent. This arguably falls more into the domain of the e-Privacy Regulation than data protection, which will function as a ‘bolt-on’ to the GDPR and adds rules for how identity should be safeguarded online.

Meeting the needs of both isn’t impossible. For example, the GDPR outlines stricter rules for consent — how companies hoping to use consent as a processing purpose must obtain permission and what steps must be taken to keep information safe once gained. It also expands consumer rights, giving individuals the ability to access information on request and the right to be forgotten. This increased focus on consumer control and choice isn’t difficult to comply with, as long as companies offer clear data options, and should help create better engagement with individuals through data-driven personalised experiences in the long-term.

Definition of personal data

A clearer understanding of the definition of personal data is essential for most companies in the age of personalisation, and especially in ad tech where businesses are based largely on information garnered from the volume of data generated by consumer input. But concerns have arisen around what now counts as personal or sensitive data — which is subject to more severe restrictions.

The GDPR advises any data that makes an individual uniquely identifiable or can be used in combination with other data to identify individuals is considered personal. This means IP addresses, devices IDs and tracking cookies fall under the category of personal data and, to use such information, companies need a lawful basis. Again, this doesn’t necessarily have to be consent. For example, a verification provider that needs to ensure the consumers viewing ads are genuine and not bots may need access to IP addresses so that they can be checked.

Sensitive data includes insight related to racial or ethnic origin, political opinion, religious beliefs, trade union membership, genetic and biometric data, information about health and sexual orientation. Admittedly, there are tougher hoops to jump through for those who want to use this information, but just like ordinary personal data, there are also permissible processing purposes that allow businesses to keep leveraging it.

GDPR is not a one-off event. As new marketing techniques, technology and products continually emerge, it should be an on-going exercise in compliance with privacy requirements and regulations. Businesses that understand what the key provisions of this regulation mean; particularly in relation to what data can be harvested and how they can or can’t use it, are the ones that will thrive in the post-GDPR world.

by Dan Rosler, CEO

Originally published on GDPR : Report