The EU’s General Data Protection Regulation (GDPR) is set to go into effect on May 25. It will dramatically change current data privacy laws throughout Europe, strengthening the protection of personal data.
If they want to avoid hefty penalties, companies that conduct business in the EU—or even process personal data originating from the EU—need to ensure their business practices adhere to the new law’s strict guidelines.
However, according to a recent report by Forrester Research, only about one-third of global companies say they are prepared for GDPR. Many have not yet completed the required work, which includes a data discovery process, data classification, data flow maps, and impact assessments—all of which will evolve their operating model toward privacy by design and by default.
One of the most important factors for companies to consider is GDPR’s expanded definition of what is considered personal data. Under the previous regulations, for example, information such as age, race, gender, geographic location, and job title were protected because they could be used to identify a specific person.
However, the new set of regulations broadens the data deemed personal to include medical information, pseudonymous data, cookie IDs, device IFAs, and other unique identifiers, such as IP addresses—which is particularly crucial for ad tech companies that harness first- and third-party data to help advertisers target viewers on over-the-top (OTT) or via connected TV devices.
To be clear, companies can still process personal data, but GDPR requires action and compliance, which may include collecting users’ consent or explaining their “legitimate interest” in processing that data.
The following infographic by SpotX, a video advertising and monetization platform for publishers, explains the history of GDPR and its goals, and provides a road map to compliance. (For more information, you can also check out SpotX’s webinar about GDPR coming up on April 3 and 4.)