havas Content printed form Havas - The Download - https://download.havas.com/posts/everything-you-need-to-know-about-gdpr/
Ideas

Everything You Need to Know About GDPR

Everything You Need to Know About GDPR

Sulaiman Beg

Sulaiman Beg

May 23, 2018

GDPR is a regulation that you’ll want to take seriously.

"The premise of GDPR is to give consumers more transparency and control over how their personal data is used."

The General Data Protection Regulation, or GDPR as it’s more commonly known, goes into effect across the European Union Friday (May 25), introducing much tougher rules on data privacy.

Hossein Houssaini, Global Head of Programmatic Solutions at Havas, and Danièle Nguyen, Havas Group’s newly named Data Protection Officer, explain why everyone should learn about GDPR and its global ramifications.

 

General Data Protection Regulation (GDPR) has been dubbed by the media “the greatest shake-up in privacy legislation in more than 20 years.” In simple terms, what is GDPR?

The premise of GDPR is to give consumers more transparency and control over how their personal data is used. GDPR replaces the 20-year-old Data Protection Directive as Europe’s data protection law.

“Controllers” and “processors” of data need to comply with the new regulation. A data controller declares how and why personal data is processed, while a processor, as the word indicates, is doing the actual processing of the data. So the controller could be any organization, from a profit-seeking company to a charity or government. A processor could be an IT firm or an advertising agency doing the actual data processing on behalf of a client. Media agencies are usually both, acting as processors for their internal data and controllers when acquiring data from consumers or acting as third parties for clients.

GDPR becomes applicable on May 25, 2018, and applies to all companies within the EU and to non-EU companies processing personal data of EU residents. Even if controllers and processors are based outside the EU, they can’t avoid penalties should they fall short of GDPR compliance when dealing with data from EU residents.

The directive has been updated to protect EU residents and give them control of their personal data and how it is processed.

The new regulation covers information on identified or identifiable individuals that has been collected through online identifiers, such as unique cookie IDs, email addresses, and IP addresses. Pseudonymous data is also considered personal data, as well such as are hashed email addresses. Only anonymous data is outside the scope of GDPR. Not all online IDs are personal data, but most data used in the context of digital advertising likely is and, when in doubt, it is safest to treat such data as personal data.

You’ve probably noticed that you have been receiving emails recently from companies providing online newsletters you signed up for asking you to opt in again.

"GDPR will probably result in less data available to process."

So, how do you become GDPR compliant?

There are many requirements you’ll have to implement to make sure you’re in line with the regulation. Here are data subject rights to think about:

  • Rectification – If a security violation of personal data occurs, you have 72 hours to inform both your customers and any data controllers of the data breach.
  • Portability – Data Portability gives users rights to their own data. They must be able to get their data from you and reuse that same data in different environments.

Put simply, GDPR is a regulation that you’ll want to take seriously.

GDPR will go into effect May 25 in the EU, but its effects are global. How will it affect our teams and clients?

Everyone gets reevaluated! That is a fact! From that date, agencies are responsible for making sure the vendors they work with are compliant.

Our legal teams, our Data Protection Officer (DPO), and IT will continuously evaluate vendors as part of agency life, collaborating on this together with our local entities to demonstrate that we are complying with GDPR. There will be more questions from clients on how we process data and activate it. If you are not sure how to answer them, please contact your local DPO.

GDPR will probably result in less data available to process. It is essential to understand that at least one of the following scenarios must apply before you process personal data:

  • Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I recommend taking the GDPR Essentials course on the Havas University website as all our teams need to become familiar with GDPR.

"Overall, it is a chance for us to create better advertising!"

What impact will GDPR have on digital marketing?

So far, there is much speculation about what may happen, but, in general, it seems that companies will lose a portion of their first-party data. Agencies hope they’ll get consent for programmatic campaigns through publishers (second-party data) as consumer-facing businesses. If publishers cannot obtain consent, agencies may have to scale back their targeting strategies around programmatic and rely instead on contextual data or private or curated marketplaces.

Clients should overthink, if they can better invest in a more exceptional experience onsite, generating more traffic and first-party data that give a greater insight of the audience to target them programmatically. However, that will take time, and other channels such as DOOH or Audio may get more attention as ways to address messages to consumers.

Overall, it is a chance for us to create better advertising! It will be an extensive opportunity to consult our clients in the future on content, data, and activation strategies, with strong talent in our Havas Villages mapping meaningful and complete CJs to generate smart data, empowered through great experiences addressing the right audience using the right channel.

Is it essential that companies outside the EU become knowledgeable about GDPR?

Yes, it is. If a company works with data from European Union citizens it needs to comply with the law; otherwise it can be fined a penalty.

What steps is Havas taking to ensure that we are GDPR compliant?

Havas Group has designed a global GDPR program that will be progressively communicated to the different audiences. A leadership team will lead and implement the program.

The GDPR Program team will make guides and templates available on Agora. And the achievements of the program will be monitored by the DPO—who’ll be monitoring our accountability. We’ll also publish a Data Protection Annual Report that’s accessible to clients, authorities, and any other stakeholders to provide transparency at Havas regarding our practice in personal data processing.

In addition, anyone can share their questions and concerns with the DPO team by emailing dpo@havas.com.

"The premise of GDPR is to give consumers more transparency and control over how their personal data is used."

The General Data Protection Regulation, or GDPR as it’s more commonly known, goes into effect across the European Union Friday (May 25), introducing much tougher rules on data privacy.

Hossein Houssaini, Global Head of Programmatic Solutions at Havas, and Danièle Nguyen, Havas Group’s newly named Data Protection Officer, explain why everyone should learn about GDPR and its global ramifications.

 

General Data Protection Regulation (GDPR) has been dubbed by the media “the greatest shake-up in privacy legislation in more than 20 years.” In simple terms, what is GDPR?

The premise of GDPR is to give consumers more transparency and control over how their personal data is used. GDPR replaces the 20-year-old Data Protection Directive as Europe’s data protection law.

“Controllers” and “processors” of data need to comply with the new regulation. A data controller declares how and why personal data is processed, while a processor, as the word indicates, is doing the actual processing of the data. So the controller could be any organization, from a profit-seeking company to a charity or government. A processor could be an IT firm or an advertising agency doing the actual data processing on behalf of a client. Media agencies are usually both, acting as processors for their internal data and controllers when acquiring data from consumers or acting as third parties for clients.

GDPR becomes applicable on May 25, 2018, and applies to all companies within the EU and to non-EU companies processing personal data of EU residents. Even if controllers and processors are based outside the EU, they can’t avoid penalties should they fall short of GDPR compliance when dealing with data from EU residents.

The directive has been updated to protect EU residents and give them control of their personal data and how it is processed.

The new regulation covers information on identified or identifiable individuals that has been collected through online identifiers, such as unique cookie IDs, email addresses, and IP addresses. Pseudonymous data is also considered personal data, as well such as are hashed email addresses. Only anonymous data is outside the scope of GDPR. Not all online IDs are personal data, but most data used in the context of digital advertising likely is and, when in doubt, it is safest to treat such data as personal data.

You’ve probably noticed that you have been receiving emails recently from companies providing online newsletters you signed up for asking you to opt in again.

"GDPR will probably result in less data available to process."

So, how do you become GDPR compliant?

There are many requirements you’ll have to implement to make sure you’re in line with the regulation. Here are data subject rights to think about:

  • Rectification – If a security violation of personal data occurs, you have 72 hours to inform both your customers and any data controllers of the data breach.
  • Portability – Data Portability gives users rights to their own data. They must be able to get their data from you and reuse that same data in different environments.

Put simply, GDPR is a regulation that you’ll want to take seriously.

GDPR will go into effect May 25 in the EU, but its effects are global. How will it affect our teams and clients?

Everyone gets reevaluated! That is a fact! From that date, agencies are responsible for making sure the vendors they work with are compliant.

Our legal teams, our Data Protection Officer (DPO), and IT will continuously evaluate vendors as part of agency life, collaborating on this together with our local entities to demonstrate that we are complying with GDPR. There will be more questions from clients on how we process data and activate it. If you are not sure how to answer them, please contact your local DPO.

GDPR will probably result in less data available to process. It is essential to understand that at least one of the following scenarios must apply before you process personal data:

  • Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I recommend taking the GDPR Essentials course on the Havas University website as all our teams need to become familiar with GDPR.

"Overall, it is a chance for us to create better advertising!"

What impact will GDPR have on digital marketing?

So far, there is much speculation about what may happen, but, in general, it seems that companies will lose a portion of their first-party data. Agencies hope they’ll get consent for programmatic campaigns through publishers (second-party data) as consumer-facing businesses. If publishers cannot obtain consent, agencies may have to scale back their targeting strategies around programmatic and rely instead on contextual data or private or curated marketplaces.

Clients should overthink, if they can better invest in a more exceptional experience onsite, generating more traffic and first-party data that give a greater insight of the audience to target them programmatically. However, that will take time, and other channels such as DOOH or Audio may get more attention as ways to address messages to consumers.

Overall, it is a chance for us to create better advertising! It will be an extensive opportunity to consult our clients in the future on content, data, and activation strategies, with strong talent in our Havas Villages mapping meaningful and complete CJs to generate smart data, empowered through great experiences addressing the right audience using the right channel.

Is it essential that companies outside the EU become knowledgeable about GDPR?

Yes, it is. If a company works with data from European Union citizens it needs to comply with the law; otherwise it can be fined a penalty.

What steps is Havas taking to ensure that we are GDPR compliant?

Havas Group has designed a global GDPR program that will be progressively communicated to the different audiences. A leadership team will lead and implement the program.

The GDPR Program team will make guides and templates available on Agora. And the achievements of the program will be monitored by the DPO—who’ll be monitoring our accountability. We’ll also publish a Data Protection Annual Report that’s accessible to clients, authorities, and any other stakeholders to provide transparency at Havas regarding our practice in personal data processing.

In addition, anyone can share their questions and concerns with the DPO team by emailing dpo@havas.com.

Sulaiman Beg is Havas' Director of Global Internal Communications. He has never eaten canned tuna fish.

contact our office

Call:

Stop by:

Connect: