This is the second part of the article series, click here to read the first part.
While most individuals seem to understandably support the GDPR considering it clarifies and solidifies their rights to online privacy, companies can’t be expected to react in the same fashion.
Companies have a responsibility to protect end-user data from both hackers and from internal malpractice or negligence, but looking at regulation like the GDPR and assuming what other, even stricter regulations can be expected to follow it in the future, it feels like the end-goal is to completely remove the responsibility from the individual.
Taking the necessary precautions to protect the data takes plenty of work hours and resources – things that companies don’t like to expend for anything that doesn’t help their bottom line.
Considering a significant portion of hacking today doesn’t even include breaking into databases or anything sophisticated like that, but by using techniques that hackers call “Social Engineering”, like Phishing and Vishing, (as can be seen in this frightening demonstration on CNN), it’s pretty easy to imagine a situation where a person that gets hacked just because he’s not tech-savvy or he’s gullible would try to claim the company holding the data in his account that got hacked is at fault.
In a theoretical case like this, the company should be able to defend itself and the legal system should be able to understand that it had no way to prevent it, but it’s not far-fetched to believe that in one of one hundred or one thousand cases a wrong verdict would be called, or that hackers would find a way to remove any trace of their Social Engineering. What’s certain in all of the possible scenarios is that it’s a huge waste of time and resources for the company.
Preparing for the GDPR the Right Way
If you think about it that way, it’s easy to see why companies won’t automatically lean towards expending resources willy-nilly on every regulation update, especially not one as massive as the GDPR. So how should a company in ad-tech react to the GDPR in a sensible way?
Luckily, we have Yigal Deitcher, Adv. from ConsulTech to help us make sense of the GDPR in this short interview. I hope you find his answers and insights useful – I know I did.
Hi Yigal, thanks for your time. Before we go into questions about the GDPR, can you please tell us a little bit about your professional background in general and in ad-tech specifically?
I spent a few years at GKH a top law firm before I moved to work as in-house counsel at ironSource. After a few years at ironSource I joined ConsulTech which provides compliance, legal and strategic consulting to Tech companies with an emphasis on data centric and AdTech companies.
The founder of ConsulTech Hilla Shribman, also worked as in-house counsel at ironSource and then in the AdTech department in HFN before founding ConsulTech. We are absolute experts in data, internet and privacy laws.
Thanks. So about the GDPR, can you share a short description of what it is actually, from a broad perspective?
The GDPR set to go into effect on May 25, 2018, is an iteration of the existing data protection law defined and enforced by the European Union. The GDPR is a substantial overhaul of the existing data protection framework under the European Union Data Protection Directive, as the world and technology have greatly evolved over the years.
The GDPR imposes new rules on organizations that offer goods and services to people in the EU, or that collect and analyze personal data tied to EU data subjects.
Failure to comply with the GDPR can result in extremely high fines; the higher of up to 4% of global turnover or €20 Million Euro.
It is important to note that the GDPR expands the definition of “personal data” to include data sets such as advertising identifiers like IDFA and the Google Advertising ID, as well as IP addresses, geolocation data, etc.
What type of companies will GDPR impact the most? Do you think it was designed to impact a specific type of company more than others?
The GDPR will affect company’s collection of personal data in Europe. Furthermore, as I had mentioned, the GDPR expands the definition of “personal data” to include data sets such as advertising identifiers like IDFA and the Google Advertising ID, as well as IP addresses, geolocation data.
This means it will affect almost all companies worldwide, especially almost all AdTech companies. The sole companies which will for sure not be affected is a mom and pop shop in Arkansas. In my opinion, it will affect the large enterprises that monetize on user’s data the most, such as Google and Facebook.
Let’s say I own a company that resides outside of Europe and has some activity (but not all of it) in Europe, and I don’t make any of the changes required to be compliant with the GDPR – how realistic and likely is it that I would be prosecuted for a violation, and how can it be enforced?
Countries all around the world are catching up with the GDPR. We call it the Global Data Protection Regulation because it effects companies on a worldwide basis. Countries all around the world including, Israel, are legislating similar laws. As for enforcement, at this time, it very difficult to determine, but our assumption is that the local data protection authorities will enforce their own legislation.
Further, the “Internet Gatekeepers” (i.e. Facebook, Google, Apple and Microsoft) have already begun full implementation and compliance for the GDPR. The Internet Gatekeepers are requiring all other Internet companies to comply with the GDPR as well as their revised guidelines.
Thus, not complying with the GDPR, can lead, not only to extraordinarily high fines but detection, removal and being blocked from using their applicable platforms.
Let’s say there isn’t much risk of being prosecuted after performing a violation for companies that don’t reside in Europe – what kind of other business-related repercussions can occur when choosing not to comply?
Cybersecurity is a greater challenge than ever for enterprises and their leaders. Evidence for this proposition is all around us. It is found most obviously in the seemingly unending series of breaches and hacks that some of the world’s most prominent companies and government agencies have fallen prey to in recent years: Ashley Madison, Uber, Equifax, Sony, Yahoo and many others, doubtless including more than a few organizations whose names have been withheld from the public.
Part of the GDPR is ensuring security for personal data and mandatory data breach policies. Non-compliance, can lead to a PR nightmare for a company.
In addition, from our experience partners are sending due diligence questionnaires as well as partner policy updates, which require partners to comply with the GDPR including providing representations and warranties in this regard. Thus, non-compliance can also lead to risking partnerships with key players. Today, it is a business advantage to be able to provide statements to partners that you are fully GDPR compliant.
From our point of view, it seems that some companies are overreacting to the new legislation – do you share that opinion? How should smaller companies (under 50 employees) approach preparing for the new regulations?
I believe that some companies are overreacting. However, some of the basic steps which can be taken to ensure compliance should be carried out by all companies regardless of size. We recommend using an attorney who is a privacy expert that will tailor the preparation to the company. At a minimum, each company should map out all of the personal data, it collects and what is the legal basis for such collection.
Do you think that every company that holds personal information of European users should hire an attorney (assuming they don’t employ one already) in order to properly prepare for the new regulations?
I think it is best, to at a minimum, discuss the regulations with an experienced privacy attorney who understands the GDPR to better assess what should be done by such company. I further recommend that you discuss with such attorney as soon as possible in order to begin the GDPR process, as just the data mapping can take quite a decent amount of time and effort, on the part of multiple parties within the company.
Generally, what are your thoughts about the GDPR? Do you think the regulations would significantly improve the online privacy of European citizens?
The GDPR was necessary as the world of tech is evolving at an exasperating rate. The data that small companies hold on users is enormous. Moreover, the Directive which the GDPR replaced was not adopted by all of the countries in Europe and therefore made it very difficult to comply with all the different data laws in Europe. The GDPR will be one regulation, which coming May, will be binding on all of the countries in the European Union.
This regulation is not only about EU citizens, its about every user around the world. As I mentioned, many countries are adopting similar legislation including Israel. The US is also moving towards updated legislations with regards to data protection. It is important to note that companies will not stop collecting personal data, but they should be protecting such personal data.
How do you help companies prepare for the GDPR? How long in the process? Is it too late to start?
As all of the attorneys in our firm have previously been in-house counsel, we don’t simply explain the GDPR to our clients, we provide a full implementation of GDPR compliance. The process really differs from company to company.
An AdTech company which solely collects IP addresses and a medical device company which collects users heart rate, in real time, will not have the same process or the same requirements under the GDPR.
The GDPR compliance process has the following three main steps: data mapping, implementation of GDPR requirements and documentation.
The data mapping allows us to understand which data the company collects, stores and uses as well as the internal data practices.
During the implementation of GDPR requirements, we will review and revise many of the company’s legal documents including commercial agreements, privacy policies, consent flow, data processing agreements as well as many additional documents.
During the documentation phase, we will draft internal policies, such as employee manual, employment training, data breach policies, security policies, etc.
It is certainly not too late to start. On May 26, 2018 not every company will receive a letter ordering them to pay 20M Euros in fines. However, it is best to begin the process as soon as possible. Even if the day after the GDPR goes into effect the company hasn’t completed all steps for 100% compliance, there are steps that can be taken in order to be able to show that the company takes the privacy of its users seriously.
Make sure to check back in a couple of weeks or sign up for our newsletter to read the next parts of our Privacy Matters series.