The European Union’s General Data Protection Regulation (GDPR) is no longer on the horizon. By May 25, 2018, all companies handling European data must comply with this new law governing how personal data is collected, used, and protected, along with providing stronger data subject rights.
At a high level, the GDPR introduces significant changes that impact your engagement with consumers and could affect the way in which LiveRamp will be able to support those programs. These changes fall into the following categories:
- Transparency and Consent
The legal grounds for collecting and using personal data will require a new level of notice and consumer consent (European lexicon for choice.) The GDPR’s requirements, including that consent must be freely given, unambiguous, and not inferred from inaction, will mean that many data collection methods need review and updating.
- Data Protection/Governance
The GDPR updates a number of data governance concepts that will create significant new operational obligations for many organizations. These include, but are not limited to, how data is transferred, mechanisms for providing data subjects (European lexicon for consumer) with access and control over their data, data protection by design and default (European for privacy by design principles), data protection impact assessments, breach notification obligations, and codes of conduct.
LiveRamp has approached the GDPR with our Data Ethics method, which goes beyond minimal compliance with the law. Our data ethics approach starts in the engineering layer and includes detecting and preventing hidden harms, such as bias or discrimination, and ensuring data use is fair, most importantly to the individual that the data relates to.
“Our perspective on the ethical use of data accommodates fair market practice, but also goes a step further in considering the impact of the data use or of the data activation,” said Sheila Colclasure, Global Chief Data Ethics Officer for Acxiom and LiveRamp. “You have to ensure that it’s human-centered, that’s it’s ethical — meaning that it’s legal, just, and fair — and that the data subject, or consumer the data use relates to, would agree that it’s fair.”
Consequences for noncompliance with GDPR are significant and can have repercussions across the industry. Companies found to be in breach of the law can be fined up to “4% of annual global turnover or €20 million (whichever is greater).” So for the past 18 months, in addition to the significant work we have done to keep ourselves in compliance, we have also been working to help our partners and the rest of the ecosystem.
“We’re collaborating with our partners and providing tools and guidance to help them get ready for GDPR. We’re doing what we can to help get the ecosystem and digital ad-tech stack ready,” Colclasure shared.
As with any law of its kind, GDPR compliance is a continuous process, not “one and done.” At LiveRamp, we address compliance with our data ethics program, ensuring that data we collect, activate, and transform is above and beyond legal minimums. Our data ethics program covers data governance, data protection, and privacy, ensuring that as we accelerate into a data-driven digital future, we are legal, just, and fair. This creates trust in our marketplace, in us, and in the brands we serve, as the details of the GDPR are still subject to interpretation. There is a significant amount of detail related to each article of the GDPR, and we recommend consulting a data protection specialist to understand the specific impact on your business.
To read or listen to an interview with Sheila about the effect EU GDPR has on businesses and consumers, click here.
If you have questions about GDPR as it relates to your business, please email us. Otherwise, subscribe above for more thoughts on GDPR and other hot topics in our industry.