Keynote: Are You Ready for GDPR? - Michele Appello

PyData

26 Jun 201846:54

Summary

TLDRIn this informative talk, Michelle, a senior business director at Improve Digital, introduces her working paper, the 'GDPR Compliance Primer,' designed to guide businesses in digital marketing through the complexities of the General Data Protection Regulation (GDPR). She discusses her personal journey with GDPR, the necessity for compliance, and the potential impact on businesses, including hefty fines for non-compliance. Michelle outlines key definitions, steps for businesses to prepare, and the importance of understanding data processing and roles within it. She also addresses the broader implications of GDPR on industry practices and the potential for some companies to withdraw from the European market due to the regulation's stringent requirements.

Takeaways

📄 Michelle, a senior business director at Improve Digital, authored a working paper called the 'GDPR Compliance Primer' to guide businesses in preparing for the General Data Protection Regulation (GDPR).
🌍 The GDPR is a European-wide regulation that affects businesses globally, regardless of their location, if they process the personal data of European citizens.
🔒 The regulation emphasizes the protection of personal data and the security of that data, introducing strict rules and heavy fines for non-compliance, including penalties up to 20 million euros or 4% of global turnover.
📚 Michelle's deep dive into GDPR involved reading the regulation, understanding its implications, and creating a list of steps for her company to become compliant.
🏢 The digital marketing industry, which Michelle represents, relies heavily on data such as cookies and IP addresses, making GDPR particularly relevant and challenging for these businesses.
🤔 The GDPR raises questions about the role of businesses in data processing, distinguishing between 'controllers' who decide how data is processed and 'processors' who act on their behalf.
🔑 Key definitions under GDPR include 'personal data', which is broadly defined to include any information relating to an identifiable individual, and 'data processing', encompassing any operation on personal data.
🛠️ Michelle's company undertook a comprehensive audit of their data processing activities and security measures, categorizing them by risk level and conducting data protection impact assessments.
📋 The script highlights the importance of reviewing and amending existing contracts and privacy policies to ensure GDPR compliance and the need for appointing a Data Protection Officer (DPO) in certain cases.
🔒 GDPR introduces the concept of a 'one-stop shop', where a business deals with a single Data Protection Authority (DPA) for compliance, simplifying the process for companies operating across the EU.
📢 The importance of staying informed and enforcing GDPR compliance within an organization is emphasized, including communicating with clients and vendors about GDPR policies and procedures.

Q & A

What is the purpose of the GDPR Compliance Primer mentioned in the script?
-The GDPR Compliance Primer is a working paper written by Michelle a pillow to provide steps for businesses, particularly in the digital marketing industry, to prepare for and comply with the General Data Protection Regulation (GDPR).
What is the role of Improve Digital in the digital marketing ecosystem?
-Improve Digital is an ad tech company that operates in digital marketing. It functions as a sell-side platform, auctioning off ad space for publishers, broadcasters, and site owners.
What triggered the need for GDPR?
-The need for GDPR was triggered by the Charter for fundamental rights published by the EU in 2000, which included the right to the protection of personal data. The Edward Snowden incident in 2013, where he leaked classified information about global surveillance programs, brought privacy concerns to the forefront, leading to the establishment of GDPR.
What are the potential penalties for non-compliance with GDPR?
-Non-compliance with GDPR can result in heavy fines up to the greater of 20 million euros or 4 percent of a business's global turnover, which can be detrimental to small to medium businesses.
What is the definition of personal data according to GDPR?
-Personal data, according to GDPR, is any information related to an identified or identifiable natural person. This can be identified directly or indirectly through identifiers such as name, identification number, location data, or online identifiers like cookie IDs and IP addresses.
What is the difference between a data controller and a data processor under GDPR?
-A data controller decides how and why personal data will be processed, setting the rules and having a level of ownership over the data. A data processor, on the other hand, only processes data on behalf of the controller and must follow the controller's instructions.
What is the significance of appointing a Data Protection Officer (DPO) under GDPR?
-A DPO is responsible for ensuring that an organization's data privacy responsibilities are met. They are required in cases where local laws mandate it, when the business monitors data subjects on a large scale, or processes large amounts of sensitive personal data. The DPO has special protection under GDPR to maintain neutrality and perform their role without interference.
What is a Data Protection Impact Assessment (DPIA) and why is it important?
-A DPIA is a process of documenting and assessing the potential risks of a data processing activity or new product. It is important for ensuring compliance with GDPR and for identifying how to mitigate any risks associated with data processing.
What is the concept of a 'one-stop shop' in the context of GDPR?
-The 'one-stop shop' is a mechanism introduced by GDPR that allows for a uniform application of compliance across the EU. It simplifies the process for businesses operating in multiple EU countries by having a single point of contact with the lead Data Protection Authority (DPA) in the location of the business's headquarters.
How does GDPR affect businesses that operate outside of the EU?
-GDPR affects businesses outside the EU if they process the personal data of European citizens. They must comply with GDPR regardless of their location, and failure to do so can result in the same penalties as those faced by EU-based businesses.
What is the Transparency and Consent Framework developed by IAB Europe?
-The Transparency and Consent Framework is a standardized way to send lawful basis for processing personal data across the digital marketing ecosystem. It uses a JavaScript API and JSON files to communicate consent and lawful basis signals through the open Real-Time Bidding (RTB) protocol, providing transparency and an audit trail for compliance with GDPR.