What is GDPR?
GDPR (General Data Protection Regulation) is a regulatory effort by the European Union to give European consumers control over the data that is collected about their digital profile and usage behavior. It is a law passed by the EU that is designed to be binding on any businesses that service EU Citizens regardless of its location.
Also read: EU GDPR Policy
Please note: This blog post is an attempt to cover the basics of GDPR in simple terms. To understand specific details of whether or how your business will be impacted by GDPR, please consult your legal counsel.
When does GDPR take effect?
GDPR comes into force on the 25th May, 2018. The Data Protection Directive passed by the EU in 1995 is currently in effect and data privacy experts opine that GDPR is a significant improvement over the directive.
What does GDPR mandate - how is it different from current data privacy laws?
- Legal basis for data collection & processing: GDPR requires businesses to sufficiently list the different data attributes that may be collected by them from a user and have a legal basis for collecting and processing this data - and in many cases, to obtain explicit consent from the user to do so.
- More control to consumers: Users are given a set of rights relating to their data, among them a right to request all the personal data relating to them that is collected and stored by an entity, and also the 'right to be forgotten', where businesses need to be able to delete all such personal data in a verifiable fashion upon a user's request. GDPR lays down the definition of personal data as "any information relating to an identified or identifiable natural person".
- Privacy Assessments: Businesses that serve EU citizens are required to create processes that periodically assess data security practices and conduct Privacy Impact Assessments.
- Metadata on data collection & storage: GDPR requires businesses to build and maintain logs of consent, collection, processing and deletion of data. It also mandates robust contracts with external service providers who may be collecting and/or processing data on behalf of a primary organization. This holds special relevance for analytics, ad-tech and other digital advertising solutions.
- Uniform applicability across EU: GDPR is a regulation and not a directive, which makes it binding and enforceable across all EU nations without the need for individual countries to pass legislation.
- Stiff penalties: There is a lot more at stake for organizations that are adjudged to be non-compliant with GDPR with fines extending to 4% of annual revenue or €20 million, whichever is higher. It is due to this that several smaller organizations with a negligible EU footprint are considering just blocking traffic from the EU while they work on ensuring compliance.
How does GDPR impact Publishers?
Most digital publishers rely on subscriptions and/or advertisements for their revenue. This involves collecting user data to ensure that ads served are targeted and relevant, as well as collecting browsing behavior and audience interest information to personalize the user experience, newsletters etc.
As a Publisher, you rely on external tools that provide Data Analytics, Audience Profiling, Ad-serving, user profiling. So while the data collection will happen on your own website, data of your users may be stored and processed on your vendors' platforms.
Here's what you need to do, at a minimum:
- Ensure that you have a legal basis to collect & process data from visitors to your website, including obtaining consent when necessary.
- Sign Data Processing Agreements (DPAs) with vendors who are processing personal data of EU data subjects for you. Some vendors such as Google may identify themselves as data co-controllers in tandem with you and so you may need to agree to any relevant contracts for that too.
- Setup processes to ensure access controls, internal data privacy assessments and data security within your organization.
- Setup a process to notify relevant authorities and/or affected individuals in the event of a data breach.
- If transferring data about EU data subjects to locations outside of the EU, make sure you're satisfying GDPR's international transfer requirements (for example, by signing a DPA with appropriate standard contractual clauses with the processor you're sending data to).
There might be more steps that you may need to take, depending on the nature and volume of data you collect and the vendors that you work with. Please consult your legal counsel for details.
Does NativeAI store or collect personal data?
NativeAI gathers data about readers in a way that is meant to provide anonymized insights, and we take care to only gather the data that is strictly necessary. In most cases, no personal data about your readers should be gathered, but we have also created additional options to configure what kind of data we record for your website(s). Please read our integration instructions and contact us, if you want to use these custom integrations.
GDPR defines two distinct set of entities who collect, use and process data - Data Controllers and Data Processors. The collection of data occurs on a publisher's properties and therefore the ability to add or remove third party services that obtain informed consent, collect data, process data rests on the publisher which is also the data controller.
Is NativeAI compliant with GDPR? How do I sign NativeAI's DPA?
Publishers that use NativeAI to process data of EU data subjects will need to sign a Data Processing Agreement that lays out the roles, responsibilities and processes for ensuring that all the requirements of GDPR are complied with both at the publisher's end and on NativeAI's side.
To review and sign your DPA with NativeAI, look for an email on the email ID you use to login to your NativeAI account with the subject line "NativeAI GDPR Compliance" and follow the link in it to our DPA, or contact our Privacy Team at email@example.com.
If you have any questions at all about how NativeAI gathers, stores or processes data, please don't hesitate to reach out to firstname.lastname@example.org.
Note: This article is not a substitute for legal advice, for any questions that relate to your liabilities arising out of GDPR please consult a qualified legal counsel.