skateboarder doing an ollie off of stairs
PHOTO: Leio McLaren

With a little more than two months until the European Union’s General Data Protection Regulation (GDPR) goes into effect, only 6 percent of North American companies are fully prepared for the regulation.

For those who may not be familiar with the GDPR, it’s an EU regulation that will create a uniform data privacy regulation across the EU that applies not only to EU-based companies, but also to any company across the globe that offers goods and services to EU citizens or monitors the behavior of EU citizens. 

The practical effect is that any U.S. digital publisher or app developer engaged in interest-based advertising to EU citizens is subject to GDPR.

Violations Are Costly — and Compliance Is, Too

The stakes are high. Those violating GDPR could face fines of up to 20 million euros or 4 percent of annual global turnover. To avoid those fines, Fortune 500 companies are spending a combined $7.8 billion to become compliant, according to a Financial Times article (registration required).

U.S. publishers and app developers, however, must also prepare for a related requirement. Any transfer of an EU citizen’s personal data out of the EU into the U.S. must be done under an approved mechanism that protects the privacy and security of EU data.

Related Article: The GDPR Customer Data Management Action List: Ready, Set, Go

Comply With Privacy Shield

There are three ways to ensure compliance. The first two include the use of binding corporate rules and standard contractual clauses, both of which are either limited in scope of coverage or can be time-consuming to implement. The third, and arguably the most convenient, is self-certification under the EU-U.S. Privacy Shield framework. Once certified, a U.S. publisher or app developer may receive EU personal data in compliance with the Privacy Shield and the GDPR. This approach could be the method of choice for many U.S. publishers.

What’s required? The U.S. Department of Commerce outlines all of the necessary steps at PrivacyShield.gov. In short, companies must commit to abide by the Privacy Shield principles, which means they will need to do the following:

  • Give notice to users about the types of data collected, the purpose for collection and who may access it. The “notice” principle is a fundamental aspect of compliance, and the company’s privacy policy should be reviewed to confirm that it includes all of the required elements. Companies will also need to designate an individual internally to be responsible for Privacy Shield compliance. This is why the job title of data protection officer (DPO) is growing in popularity. The International Association of Privacy Professionals (IAPP) estimates that as many as 75,000 DPO positions could be required as a result of GDPR.
  • Let consumers choose whether their information can be shared with others or used for a different purpose than originally approved. This is typically implemented through opt-out mechanisms that must be “clear, conspicuous and readily available.” And if data is shared, the third parties must provide the same level of protection that the Privacy Shield Principles require of the original company.
  • Implement security measures to protect customer data from unauthorized disclosure, destruction or misuse. In an era when data breaches are common, this step is crucial to maintaining customer trust. Privacy Shield guidelines acknowledge that different types of data warrant different levels of protection, and the Privacy Shield program allows companies to determine what measures are reasonable and appropriate for different data categories.
  • Minimize data collection. Some advertising technology companies have habitually collected as much information as possible from their customers, but the Privacy Shield program is forcing a shift. Companies can only collect data that is essential to accomplishing the stated purpose. In addition, that data can only be kept for the most limited time necessary to process it, and then it must be deleted or returned.
  • Grant consumer access to their data so they can confirm that it is correct or request that it be deleted. This Privacy Shield requirement might be too big of a burden in some cases, so companies can ignore this if the expense of providing access is disproportionate to the threat to the customer’s privacy. In practice, this will protect small and midsize businesses, not the Googles of the world.
  • Establish a recourse mechanism for individual consumers to dispute how their data is being collected and used at no cost to them. A few organizations that companies can work with include the American Arbitration Association, JAMS (the organization formerly known as Judicial Arbitration and Mediation Services), the Council of Better Business Bureaus, TrustArc (formerly known as TRUSTe), Privacy Trust, Verasafe and the Data and Marketing Association (formerly known as the Direct Marketing Association). Or they may work with data protection authorities under the rules set out in the Privacy Shield.

Related Article: GDPR Readiness Is All About the Data

Privacy Shield Matches GDPR

Privacy Shield certification can be the best choice for U.S. digital publishers and app developers that receive EU personal data, but companies should work with their business and legal advisers to determine the path that’s best for them. Certification requires significant time and effort from many people in an organization, but a valuable benefit is that many of the Privacy Shield certification requirements match what GDPR requires. 

The next two months will be intense for publishers still working toward GDPR compliance, but following these steps will bring them much closer to reaching compliance by the May 25 deadline.