The General Data Protection Regulation (GDPR) comes into effect May 25, 2018. Although ePrivacy Regulation was intended to come into effect at the same time, the wording is still likely to change from its current form, and therefore is no longer anticipated to be ready on the same date.
What is the GDPR?
The GDPR represents a once-in-a-generation change to the way personal data is regulated in the EU, replacing existing legal framework that did not foresee the rapid increase in the use of personal data by businesses that has become commonplace in the last 20 years.
How does the GDPR impact the affiliate marketing industry?
The GDPR’s increased scope and application to types of personal data, which (depending on the context) may be currently unregulated, is of particular relevance to our industry as this data will now be subject to regulation. This may include device IDs, cashback member IDs, customer reference numbers and other technical identifiers. Furthermore, the GDPR places stricter requirements for obtaining user consent to personal data processing.
We do not anticipate a considerable impact to affiliate marketing. However, we expect that in some instances, behavioral advertising and other performance-based marketing that relies heavily on user profiles for the sending of targeted advertising may be subject to greater regulatory obligations.
Will Awin need to gather consent for tracking?
The GDPR maintains the ability to lawfully process personal data without user consent, subject to the implementation of appropriate safeguards for privacy. Awin has implemented a balancing test in the course of its privacy impact assessment, and has concluded that it can justify the processing of personal data for basic tracking technologies under legitimate interest. Although this is the approach Awin is taking under the GDPR, the ePrivacy Regulation may impose stricter requirements on gathering consent. Awin will continue to monitor these requirements as the negotiations of the Regulations progress, and will ensure activities remain compliant.
What should I do to ensure my business is ready for the GDPR?
All businesses should examine their uses of personal data in the context of the GDPR. In some cases, particularly where a business makes use of large amounts of personal data, a more formal assessment of personal data usage is required. This is a process that requires careful consideration, as the new law is applied to each aspect of a business' personal data processing. The IAB UK provides useful, practical information on auditing your business and what to take into consideration in its GDPR checklist.
How is Awin preparing for the GDPR?
Awin is taking detailed legal advice on how it can best comply with the GDPR, with minimum disruption to its existing operations. This includes an in-depth assessment of its impact on individual privacy for each aspect of its business.
Having considered impact on an individual's rights, Awin is comfortable that it can lawfully process personal data for tracking services on the basis this processing is necessary for Awin to pursue its legitimate interests. This means Awin will not depend on individual consent as the legal basis for the processing of personal data as part of its tracking services under the GDPR.
Awin is also implementing several safeguards and compliance measures required to protect an individual's rights and freedoms, and as set out in the GDPR. This includes minimizing personal data processing wherever possible, publishing notices to explain how data is processed, and appointing specialist members of the team to serve as data protection officers at both group and national level.
Historically, data protection laws have been accompanied by detailed regulatory guidance issued over a number of years. The GDPR is a new set of regulations, for which regulatory guidance is still awaited in respect to several key aspects. In the absence of such guidance, our assessment is, in some cases, limited to the wording of the GDPR itself. As regulatory guidance is issued, we may be required to revise our position or take additional measures to ensure compliance. Any measures that may have an impact on our partners will be clearly communicated in a timely manner.
What are the next steps?
We aim to conclude our assessment well in advance of the GDPR taking effect, to ensure that we and our partners have sufficient opportunity to implement any changes necessary to comply with the GDPR.
While assessing our tracking technologies under the GDPR, we are also preparing an in-depth assessment establishing to what extent Awin acts as a data controller or processor in its relationship with advertisers and publishers. In the coming weeks we will share Awin's position and how this will impact our future contractual data privacy terms.
Leading up to May 25, we will continue to share practical guidance for our partners to ensure they’re GDPR ready via our dedicated portal: awin.com/GDPR.
In the meantime, if you have any questions regarding GDPR contact us here.