UKOM has published a Question & Answer document about the EU’s proposed General Data Protection Regulation (GDPR) legal framework and its implications for UKOM and its stakeholders.
Q. What is the EU General Data Protection Regulation (GDPR)?
A. The GDPR (EU Regulation 2016/679) is a new legal framework – building on existing data protection laws - governing the use of personal data across EU markets. It updates existing laws to reflect the digital world that we live in today and aims to give people greater control over their personal information. It therefore places more obligations on those organisations processing it.
Q. What data is actually regulated by the GDPR?
A. The GDPR applies to all personal data. The definition of personal data is more expansive than under existing data protection law and includes scenarios where an individual is either ‘identified’ or ‘identifiable’. In this context it specifically includes the use of online identifiers (e.g. cookies). Therefore data should not be assumed to be anonymous or non-personally identifiable. In a nutshell, more data is now regulated by the GDPR.
Q. When does the GDPR come into force?
A. The GDPR will apply from 25 May 2018. It will repeal the existing European Directive as well as all the national data protection legislation that stems from it (e.g. UK Data Protection Act 1998). Under the GDPR, EU regulators have greater powers for dealing with non-compliance and breaches (e.g. a maximum fine of up to €20m of 4% of global annual turnover - whichever is greater - can be issued, but this will depend on the nature of the breach).
Q. Will it apply across all EU markets?
A. Yes. As a ‘Regulation’ it will apply directly across all EU (and European Economic Area (EEA)) countries aiming to provide a consistent level of data protection for people as well as a streamlined approach for organisations. It therefore seeks to address any fragmentation in existing EU data protection law. However, the GDPR will have a global impact: it will apply - regardless of where the organisation is
actually located - when an organisation (i) is directly offering goods or services to individuals in the EU, regardless of whether a payment is used; and / or (ii) is monitoring an individuals’ behaviour in the EU.
Q. What does the GDPR mean for UKOM?
A. Working with its industry stakeholders (IAB, the Association for Online Publishers (AOP), ISBA – the Voice of British Advertisers and the Institute of Practitioners In Advertising (IPA)), UKOM seeks to define and govern a common UK industry standard for online measurement. It does this endorsing data supplied under contract by third party audience measurement specialist, Comscore. Comscore measures people’s usage of the internet in the UK - including what sites they visit, what apps they use, on what kind of device, and how often and for how long - using
a hybrid approach of both people panel and census network data. The GDPR
applies to Comscore’s use of personal data in audience management. UKOM is Comscore’s customer: UKOM does not collect, process or own any personal data itself.
Q. What is Comscore doing to comply with the GDPR?
A. Comscore is in the process – via an International Working Group - of taking all the necessary steps to comply with the GDPR, including evaluating all data processing
activities (including those of publishers and third parties), reviewing contracts, as well as updating privacy / security procedures and notices, to ensure they are in line with the GDPR in advance of 25 May 2018. Where appropriate, this also includes where Comscore – working with publisher partners - will seek the consent of users to process their personal data. Comscore is providing UKOM with regular briefings as to how it is preparing to comply with the GDPR. This particular set of FAQs will be updated on a regular basis outlining progress.
Q. Does the GDPR supersede the ePrivacy Directive (aka ‘cookie law’)?
A. No. The ePrivacy Directive (as implemented nationally) is a sector-specifi c law and remains in place regardless of the GDPR applying from 25 May 2018. However, the ePrivacy Directive itself is likely to change (see below).
Q. What is the ePrivacy Regulation? How will it affect UKOM / Comscore?
A. The European Commission has published a new ePrivacy proposal which - when it becomes law - will replace the existing ePrivacy Directive. In a nutshell, the proposal applies to all electronic communications data – whether personal or nor –
and introduces a stringent consent standard. It also seeks to mandate consent via the settings of a browser, app or other software, rather than via a site itself. Site notices will still probably be necessary to agree to or revoke specific consent. However, it remains to be seen how audience measurement data will be regulated under any revised ePrivacy Directive. The proposal still has go through the Brussels legislative process and more information will be available here as the process progresses.
Q. Will the GDPR apply in the UK when it leaves the EU?
A. Yes. In September 2017, the UK Government introduced national legislation to implement the GDPR in the UK - a post-Brexit data protection law. However - due to its territorial scope – most organisations operating across markets will need to continue preparing for the new EU law regardless.
Anything the UK chooses to do differently will still need to meet the standards in the GDPR to ensure free data flows and an effective digital economy.