Quick Q&A - General Data Protection Regulation (GDPR)

Posted on: Sunday 25 June 2017

What is the GDPR? Find out more below.

Share this

What is it?

The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of personal data across all EU markets. It replaces existing national data protection laws and comes into force from 25 May 2018.

The GDPR updates the existing EU data protection framework. From a consumer perspective, the GDPR aims to give individuals more control of their personal information.

Organisations will require a legal basis to process personal data. There are six legal bases available, but those most commonly used in the digital advertising sector are ‘consent’ and ‘legitimate interests’.

The GDPR strengthens the conditions for consent. Consent will need to meet very high standards (eg it cannot be bundled with T&Cs) to be relied on as a legal basis for processing personal data. The user will also need to give consent ‘unambiguously’ with an affirmative action. Processing ’sensitive’ personal data (e.g. racial or ethnic origin / sexual orientation) requires the user’s explicit consent. 

In all cases, evidence that consent has been obtained will have to be recorded, meaning organisations that have no direct relationship with the user will have to find a way to obtain consent indirectly.

The GDPR also introduces increased sanctions: organisations can be fined up to €20m or 4% of annual turnover (whichever is greater) if they breach the law.

Who does it affect?

The GDPR regulates the use of all personal data, including the way organisations collect, share and use data. If an organisation is processing personal data about a person who is in the EU (nb they do not have to be an EU national) then the new law applies, regardless of where the business is located. 

All organisations engaged in digital advertising – whether brand advertisers, agencies, advertising networks, data/technology businesses or publishers – will be impacted.

The GDPR also introduces special protection for children’s personal information: if an organisation collects information about a child and is relying on consent to process it lawfully then it will need a parent’s / guardian’s explicit consent where the child is under 16 years old.

When will things change?

The new GDPR legal framework comes into effect on 25 May 2018 (and will apply to the UK, despite Brexit). We advise all digital advertising businesses to familiarise themselves now with the new rules and what they will mean, so they can develop and implement a compliance roadmap before the deadline.

How is the IAB working with industry to address this? 

IAB UK has already produced a number of resources to help our members understand the GDPR and its impact on their businesses. These include a detailed GDPR briefing document; a GDPR FAQ; and a members’ only roundtable discussion with legal experts on GDPR.

Working with the Information Commissioner’s Office (ICO) and the Department for Culture, Media and Sport (DCMS), we have established a GDPR Working Group to help guide understanding of the new rules.

We will continue to provide more events and resources to support our members’ compliance with the GDPR ahead of it coming into effect in 2018.

Where can I find out more? 

The full text of the new law is available here.

The IAB’s detailed GDPR briefing document for the digital advertising industry

IAB FAQs on GDPR

UK Information Commissioner’s Office (ICO) - Overview of GDPR

UK Information Commissioner’s Office (ICO) - 12 preparatory steps

UK Information Commissioner’s Office (ICO) - what to expect and when

The EU Article 29 Working Party (EU guidance) 

Email any questions or comments you have to policy@iabuk.com. 

Share this

Related content

Matthias Matthiesen

Plan for a smooth transition: TCF v2.0 is coming

With the deadline for transition to TCF v2.0 approaching, Quantcast’s Senior Privacy Counsel Matthias Matthiesen shares how companies can prepare

Learn more
Digital advertising guidance: cookies, consent & the GDPR

Digital advertising guidance: cookies, consent & the GDPR

What are the legal requirements relating to the use of cookies and other similar technologies in the UK for the digital advertising industry?

Learn more
Anthony Magee headshot

Unleash the power of data

How can mastering metadata help advertisers tap into context and decode data? SYZYGY’s Anthony Magee explains.

Learn more
Jed-Mole-Headshot

We need to talk about data – and it’s emotional

The importance of building public understanding of the data economy

Learn more

Looking to boost your skills?

Lasting two hours each, our virtual training modules have been designed to fit into your day while you work from home and provide you with the opportunity to learn new skills and keep your team up-to-date with latest best practice.