Ask the Expert: What’s GDPR?

Ask a Centro Expert is a blog series from Centro where we break down the complicated tools, tech, and trends you’ve been hearing about in the trade pubs and around the office. We reach out to our in-house experts to ask the tough questions and turn them into bite-sized, palatable Q&As for your reading pleasure. This month’s topic: GDPR. We talked to Chris Coupland, Centro’s platform operations manager, for the break down.

In the simplest terms, what is GDPR?

GDPR, which stands for General Data Protection Regulation, is a new law in the European Union governing the collection and processing of personal data of European member state citizens (data subjects). Under the GDPR, personal data that is used to offer goods and services, or to profile users, can only be collected for explicit, specified purposes, and the processing of that data must be compatible with those same purposes. There are only a few very specific legal bases for processing, most notably, through the consent of the data subject. In addition, data subjects have very broad rights, including the right to transparent information about the data collection and processing, the right to be forgotten (erasure of data), the right to object, and others. The intention of the regulation is to give data subjects more control over their personal data: who can use it, how it is used, who it can be shared with, etc. All companies that interact with European end users are obligated to comply with the law after May 24, 2018, regardless of said companies’ geographic location. Those that don’t will be vulnerable to harsh monetary penalties.

Is this strictly about programmatic ad-buying?

No. The GDPR is designed to cover personal data regardless of industry.

Who is responsible for ensuring consumer privacy?

All companies that handle personal data should be responsible for ensuring consumer privacy. While the GDPR only relates to EU data subjects, other jurisdictions have their own privacy laws that should be taken into account as well.

How are advertisers going to be affected?

Every company that operates in digital media is unique because of business models, partners, customers, country operations, and many other factors. Centro recommends advertisers review the GDPR and seek legal advice applicable to their unique business model. In general terms, advertisers will need to ensure that their advertising activities are lawful under the GDPR when targeting EU member states in their campaigns. Advertisers that are collecting and processing personal data, and have determined that their activities fall within the GDPR’s scope, will need to be certain they have a valid legal basis (such as user consent) for doing so. In regards to personal data shared with advertisers by Centro, we will be making changes to our terms governing the transfer of personal data in accordance with the new law.

How would the Internet user experience change in the E.U. member states?

End users may see an increase in solicitations of consent from companies that are actively collecting data. This may be a publisher, an Internet service provider, a device manufacturer or an app creator. The regulation covers a wide net. We’ll also likely see a variety in the ways for which this consent is asked.

Is this coming for U.S. Internet users?

The GDPR is now considered to be the gold standard in privacy legislation world-wide. It is expected that its principles will be emulated by other jurisdictions. As an example, amid the recent Facebook hearings in the U.S., two senators introduced the ‘CONSENT Act’ bill, which has very similar requirements to GDPR. Whether or not it is passed, the general industry sentiment points to momentum behind the idea of increased privacy protections. I think there will be a lot more evolution in this area.

What is Centro doing to meet GDPR requirements?

Centro takes privacy seriously and intends to fully comply with the GDPR. All processing activities are under review and we have engaged professional privacy consultants and legal experts to assist with the effort. Existing agreements, terms and our privacy policy will be revised to ensure compliance with the new regulations. Centro is also pursuing membership in the Privacy Shield framework — a program founded by the U.S. Department of Commerce, and the European Commission and Swiss Administration to help companies facilitate transfers of personal data with their transatlantic partners.

What is my role in all of this as a media professional?

Get educated and get used to operating with transparency and consent-driven advertising. Know what your company practices are in handling data. Regardless of regulation, companies who are collecting data and are serving targeted advertising should be responsible for keeping user data safe and secure.

Interested in other Centro resources that will help you understand GDPR? Reach out to info@centro.net.