Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
GDPR for Digital Publishers,
Digital Agencies, and
Advertisers
Matthias Matthiesen
Director, Privacy & Public Policy
Chris...
• You are a controller or processor in
the EU: The GDPR applies to you.
• You are a controller outside of the
EU: GDPR app...
Even if the GDPR technically doesn’t
apply to YOU…
• Partners might be in scope; they will have to know if it’s safe for
t...
Everywhere is Europe
Personal Data
ANONYMOUS
IDENTIFIABLE
NATURAL PERSON
IDENTIFIED
NATURAL PERSON
PERSONAL DATA
NON-PERSONAL DATA
PSEUDONYMOUS...
Personal Data
If an individual can be singled out by data, that data is
personal data (unique cookie ID or AAID/IDFA)
Personal Data
IP
94.225.47.200
Internet Service
Provider
Matthias
Matthiesen
on Friday, 22 April
2016, 9:15 AM
IP
94.225.4...
Personal Data
• Information related to an
identified or identifiable
natural person.
• Identifiers, such as a name,
number...
When in doubt:
It’s Personal Data
This far-reaching effect is completely
intentional.
• The GDPR is the latest and
potentially greatest example of what
is k...
R
RESTRICTED
PERSONAL DATA REQUIRES
LEGAL GROUND FOR
PROCESSING
ePrivacy Directive
• Storing information, such as
cookies, or accessing
information stored on a user
device generally requ...
ePrivacy rules before GDPR
ePrivacy
Consent
Requirement
GET CONSENT AS DEFINED BY
ePrivacy rules after GDPR
ePrivacy
Consent
Requirement
GET CONSENT AS DEFINED BY
GDPR
Hierarchy ePrivacy and GDPR
Processing
personal data
Storing/accessing
Personaldataondevice
Consent GDPR Legal Basis
ePriv...
Consent
• Consent is a statement or clear affirmative action signifying
agreement to the processing of personal data. It m...
Consent
• Consent ≠ silence/inactivity
• Consent ≠ freely given if inappropriately bundled.
• Consent ≠ freely given if in...
Consent
Consent
Stay Informed
www.advertisingconsent.eu
Stay Informed
Quick Recap:
• GDPR applies based on territory
(everywhere is Europe).
• Personal data covers a huge amount
of types of da...
Transparency &
Data Subject
Rights
Transparency &
Data Subject
Rights
Data Subject Rights
Data subject rights
• The right to access
• The right to rectification
• The right to erasure
• The ri...
Profiling & Automated Decision Making
• Profiling is automated processing, analyzing, or predicting a
person’s preferences...
Profiling & Automated Decision Making
Automated review of credit
applications
Automated recruitment
practices, e.g. candid...
So what can I do if I’m not ready for
GDPR day on Friday?
So what can I do if I’m not ready for
GDPR day on Friday?
1.Determine whether GDPR applies.
2.Take stock of all data proce...
Thank you!
Matthias Matthiesen
matthiesen@iabeurope.eu
Chris Hartsuiker
hartsuiker@iabeurope.eu
Or come find us during Int...
Interact 2018 -  GDPR for digital publishers, digital agencies and advertisers
Upcoming SlideShare
Loading in …5
×

Interact 2018 - GDPR for digital publishers, digital agencies and advertisers

136 views

Published on

Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a training by Matthias Matthiesen, Director Public Policy & Privacy and Chris Hartsuiker, Public Policy Officer, IAB Europe. Which provisions in the General Data Protection Regulation are the most relevant to digital publishers and advertisers? What is the guidance of the European Data Protection Board (former Article 29 Working party) on these topics? This training session, provided by IAB Europe will provide insight into applying the GDPR to the digital advertising supply chain.

Published in: Marketing
  • Be the first to comment

  • Be the first to like this

Interact 2018 - GDPR for digital publishers, digital agencies and advertisers

  1. 1. GDPR for Digital Publishers, Digital Agencies, and Advertisers Matthias Matthiesen Director, Privacy & Public Policy Chris Hartsuiker Manager, Privacy & Public Policy May 23rd, INTERACT 2018 Milan
  2. 2. • You are a controller or processor in the EU: The GDPR applies to you. • You are a controller outside of the EU: GDPR applies if you if • you monitor the behavior of people in Europe, or • you offer goods and services to people in Europe. Territorial Applicability
  3. 3. Even if the GDPR technically doesn’t apply to YOU… • Partners might be in scope; they will have to know if it’s safe for them to send data to your company. • Countries outside of the EU of the GDPR are ‘third countries’ – transferring data to those companies is an ‘international data transfer’, which is only allowed if there is a transfer mechanism.
  4. 4. Everywhere is Europe
  5. 5. Personal Data ANONYMOUS IDENTIFIABLE NATURAL PERSON IDENTIFIED NATURAL PERSON PERSONAL DATA NON-PERSONAL DATA PSEUDONYMOUS DATA PERSONALLY IDENTIFIABLE INFORMATION (“PII”)
  6. 6. Personal Data If an individual can be singled out by data, that data is personal data (unique cookie ID or AAID/IDFA)
  7. 7. Personal Data IP 94.225.47.200 Internet Service Provider Matthias Matthiesen on Friday, 22 April 2016, 9:15 AM IP 94.225.47.200 Online Service Legal Means (Court Order) Internet Service Provider Matthias Matthiesen on Friday, 22 April 2016, 9:15 AM If data can be re-identified by the controller, or another entity, that data is personal data.
  8. 8. Personal Data • Information related to an identified or identifiable natural person. • Identifiers, such as a name, number, location, online ID, or one or more factors specific to a natural person. • IP address, cookie ID, RFID tag, especially when combined with profiles.
  9. 9. When in doubt: It’s Personal Data
  10. 10. This far-reaching effect is completely intentional. • The GDPR is the latest and potentially greatest example of what is known as the “Brussels effect”. Illustration by Sara Gironi Carnevale for POLITICO Europe
  11. 11. R RESTRICTED PERSONAL DATA REQUIRES LEGAL GROUND FOR PROCESSING
  12. 12. ePrivacy Directive • Storing information, such as cookies, or accessing information stored on a user device generally requires consent. • Unless “strictly” technically necessary for provision of the service requested by a user, e.g. shopping cart cookies. NB: The ePrivacy Directive is a law from 2009, not to be confused with its proposed update, the ePrivacy Regulation.
  13. 13. ePrivacy rules before GDPR ePrivacy Consent Requirement GET CONSENT AS DEFINED BY
  14. 14. ePrivacy rules after GDPR ePrivacy Consent Requirement GET CONSENT AS DEFINED BY GDPR
  15. 15. Hierarchy ePrivacy and GDPR Processing personal data Storing/accessing Personaldataondevice Consent GDPR Legal Basis ePrivacy GDPR Consent • Collection of data over the internet generally requires consent because of ePrivacy • Processing of personal data requires a GDPR legal basis e.g. consent, or legitimate interest. • Where both apply at the same time the more specific consent rule of the ePrivacy prevails. Storing/accessing data on device
  16. 16. Consent • Consent is a statement or clear affirmative action signifying agreement to the processing of personal data. It must be • freely given, specific, informed • Controllers must be able to demonstrate that the data subject has consented to the processing of their personal data. • Consent must be revocable at any time. Revoking consent must be as easy as granting consent.
  17. 17. Consent • Consent ≠ silence/inactivity • Consent ≠ freely given if inappropriately bundled. • Consent ≠ freely given if inappropriately a condition • Consent ≠ freely given in situations of “power imbalance” • Which affirmative actions can convey consent? • Choosing technical settings (which)? • Further browsing? • Clicking a link? • Highlighting text? • Informed = purpose & controller disclosed
  18. 18. Consent
  19. 19. Consent
  20. 20. Stay Informed www.advertisingconsent.eu
  21. 21. Stay Informed
  22. 22. Quick Recap: • GDPR applies based on territory (everywhere is Europe). • Personal data covers a huge amount of types of data (when in doubt: it’s personal data). • Processing personal data is only lawful with a legal basis (consent, legitimate interest).
  23. 23. Transparency & Data Subject Rights Transparency & Data Subject Rights
  24. 24. Data Subject Rights Data subject rights • The right to access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • Rights related to automated decisions, including profiling, with legal or significant effects
  25. 25. Profiling & Automated Decision Making • Profiling is automated processing, analyzing, or predicting a person’s preferences, interests, behavior, etc. • It must be justified through one of the legal justifications, e.g. consent or the legitimate interests of the controller. • Where an automated decision, including profiling, has legal effects or similarly significantly affects a user, it is regulated more strictly. • It can only be justified through the explicit consent of the user.
  26. 26. Profiling & Automated Decision Making Automated review of credit applications Automated recruitment practices, e.g. candidate selection through algorithm
  27. 27. So what can I do if I’m not ready for GDPR day on Friday?
  28. 28. So what can I do if I’m not ready for GDPR day on Friday? 1.Determine whether GDPR applies. 2.Take stock of all data processing activities. 3.Conduct impact assessments. 4.Create a compliance roadmap. 5.Appoint a DPO. 6.Get help, engage with industry, stay informed. 7.Help others.
  29. 29. Thank you! Matthias Matthiesen matthiesen@iabeurope.eu Chris Hartsuiker hartsuiker@iabeurope.eu Or come find us during Interact!

×