The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. Although the ePrivacy Regulation was intended to come into effect at the same time, the wording is still likely to change from its current form, and therefore is no longer anticipated to be ready on the same date.
What is the GDPR?
The General Data Protection Regulation (GDPR) will come into force on 25th May 2018. It represents a once in a generation change to the way personal data is regulated in the EU, replacing an existing legal framework which did not foresee the rapid increase of the use of personal data by businesses that has become commonplace in the last 20 years.
How does the GDPR impact the affiliate marketing industry?
GDPR’s increased scope and application to types of personal data which, depending on the context, may be currently unregulated, is of particular relevance to our industry as this data will now be subject to regulation. This may include device IDs, cashback member ID, customer reference numbers and other technical identifiers. Furthermore, GDPR places stricter requirements for obtaining user consent to personal data processing.
We do not anticipate a considerable impact to affiliate marketing, however we expect that in some instances, behavioural advertising and other performance based marketing, which relies heavily on user profiles for the sending of targeted advertising, may be subject to greater regulatory obligations.
Will Awin need to gather consent for tracking?
The GDPR maintains the ability to lawfully process personal data without user consent, subject to the implementation of appropriate safeguards for privacy. Awin has implemented a balancing test in the course of its privacy impact assessment and has concluded that it can justify the processing of personal data for its basic tracking technologies under legitimate interest. Although this is the approach Awin is taking under the GDPR, the ePrivacy Regulation may impose stricter requirements on gathering consent. Awin will continue to monitor these requirements as the negotiations of the Regulation progresses and will ensure that its activities remain compliant.
What should I do to ensure my business is ready for GDPR?
All businesses should examine their uses of personal data in the context of GDPR. In some cases, particularly where a business makes use of large amounts of personal data, a more formal assessment of personal data usage is required. This is a process which requires careful consideration, as the new law is applied to each aspect of a business' personal data processing. The IAB UK provide useful, practical information on auditing your business and what to take into consideration in its GDPR checklist.
How are Awin and affilinet preparing for the GDPR?
Awin is taking detailed legal advice on how it can best comply with GDPR, with minimum disruption to its existing operations. This includes an in-depth assessment of its impact on individual privacy for each aspect of its business, including both the Awin platform and the affilinet platform.
Having considered the impact on individual's rights, Awin is comfortable that it can lawfully process personal data for its tracking services on the basis that this processing is necessary for Awin to pursue its legitimate interests. This means Awin will not depend on individual consent as the legal basis for the processing of personal data, as part of its tracking services under GDPR.
Awin is also implementing several safeguards and compliance measures, as required to protect individual's rights and freedoms, and as set out in the GDPR. This includes minimising personal data processing wherever possible, publishing notices to explain how data is processed, and appointing specialist members of the team to serve as data protection officers at both group and national level.
Historically, data protection laws have been accompanied with detailed regulatory guidance issued over a number of years. GDPR is a new set of regulations, for which regulatory guidance is still awaited in respect of several key aspects. In the absence of such guidance, our assessment is limited in some cases to the wording of the GDPR itself. As regulatory guidance is issued, we may be required to revise our position or take additional measures to ensure compliance. Any measures that may have an impact on our partners will be clearly communicated in a timely manner.
What are the next steps?
We aim to conclude our assessment well in advance of the GDPR taking effect, to ensure that we and our partners have sufficient opportunity to implement any changes necessary to comply with GDPR.
Whilst assessing our tracking technologies under the GDPR, we are also preparing an in-depth assessment establishing to what extent Awin acts as a data controller or processor in its relationship with advertisers and publishers. In the coming weeks we will share Awin's position and how this will impact our future contractual data privacy terms.
In the run-up to 25th May, we will continue to share practical guidance for our partners to ensure they’re GDPR ready via our dedicated portal: awin.com/RGPD (en Francais).
In the meantime, if you have any questions regarding GDPR contact us here.