June 2020 update on our Special Category Data work
As we launch our guide to special category data under the GDPR, find out what else we’re doing in this area to help members understand and minimise potential risks relating to special category data
In our response to the ICO’s Update report we identified a number of actions we would take in relation to special category data. These included developing UK-focused guidance on the Content Taxonomy; education for the industry on special category data restrictions and requirements; and work to identify potential controls to minimise the risks of special category data arising from the use of other data (such as the content of referred URLs and other information related to bid requests), if it is used in certain ways.
Today we have published our guidance for the industry on special category data, to help companies understand what special category data is and what the restrictions are on its processing under the GDPR. The guidance also identifies how special category data can potentially arise from the information and data that is used in RTB, depending on how and for what purpose it is used, so that companies can put in place appropriate mitigations and controls. Read more and access the guidance here.
Over the last six months, we have also been exploring what role IAB Tech Lab’s Content Taxonomy could have in minimising the potential risks. For example, we have looked at potentially developing short-term guidelines for the UK market to restrict the use of certain kinds of content categories in bid requests in the UK market. We carried out extensive research and have concluded that none of the options are currently viable and that, in fact, content categorisation has a vital role to play in helping companies in the supply chain identify potential risks relating to special category data, particularly given the changes that Tech Lab is making to the Content Taxonomy.
As part of ongoing efforts to put privacy-by-design principles into practice, IAB Tech Lab recently introduced additional safeguards into some of the most widely used standards in its portfolio: OpenRTB, Content Taxonomy, and Audience Taxonomy.
The Content Taxonomy 2.1 introduces an extension (indicator) to taxonomy nodes that could be used to generate sensitive or special category data and provides a clear signal to supply chain participants regarding the privacy implications of storing it. Associated updates to the AdCOM (Advertising Common Object Model) / Open RTB guidance have been made that specify that all exchanges that use the protocol should account for all local legislation and not pass any content taxonomy node that has the ‘sensitive data’ indicator
The Audience Taxonomy 1.1. update aligns much of the nomenclature with the new Content Taxonomy updates and deprecates segment names that could be used to describe sensitive data types
We expect both these updated versions to be released to the market at the start of Q3 2020. We recommend that, if you use either of these taxonomies, you put in place plans to implement the updated versions and review/update your data storage and related practices accordingly. If you use other taxonomies, or other approaches to categorising content or naming audience segments, we recommend that you review them, taking into account our special category data guidance, and update them if necessary.
Finally, we are also continuing our ongoing work to more fully explore how and where risks can arise of special category data being inadvertently processed (depending on how and for what purpose it is used) in the RTB supply chain, and to identify specific controls that can be used to minimise those risks. We are in the process of developing policy-based proposals and will share these with members in the coming months.