Both CJ Affiliate and Conversant support the principle of GDPR—to strengthen and unify data protection for all individuals in the EU—and are already well-positioned to provide compliant services.
While the implementation of GDPR by the EU evolves, this is how CJ Affiliate and Conversant have prepared, and are continuing to prepare for its launch.
GDPR: What, When and Why?
On May 25, 2018, the General Data Protection Regulation (GDPR) is going into enforcement. GDPR replaces the existing data protection law in the EU called the EU Data Protection Directive. It is a regulation that intends to strengthen and unify data protection for all individuals in the European Union.
GDPR will significantly affect organizations worldwide which collect and/or process personal data of individuals working, visiting or residing in the EU. Specifically, the regulation impacts how companies collect, process, retain and delete personal data. For instance, there are new, enumerated obligations around breach notification and “accountability.”
How We are Continuing to Prepare
We have been working hard to prepare for GDPR, and will continue to do so as its implementation by the EU evolves. In particular, we have:
- Educated senior executives about GDPR obligations, and will continue to do so
- Created a network of associates charged with ensuring compliance with GDPR for each business practice
- Started building tools and processes that meet GDPR's access and choice requirements
- Provided and will continue to provide training to associates around the enumerated obligations of GDPR, such as responding to data subject access requests
- Brought our data inventory and mapping process up-to-date, including revising ourbdata classification standards, per the refined definitions of Personal Data in the GDPR
- Continued to ensure we have a lawful basis to collect, use and store data, as enumerated by GDPR
- Created, and will continue to update, our GDPR remediation and implementation plans by solidifying its internal privacy network and appointing privacy “champions” in each business practice
- Continued to review and update policies around data subjects’ rights as outlined under GDPR
- Continued to review and update security procedures and policies to determine what, if any, additional procedures or policies we will need to revise or implement to ensure its compliance
- Commenced revising agreements with clients and vendors to reflect contractual requirements set forth in GDPR
Along with Conversant, we have created teams of associates from cross functional business lines to manage our GDPR preparation. These include technologists, engineers, security professionals, and legal experts. These teams work together to review our services and technology platforms to help safeguard both CJ Affiliate, Conversant and our clients.
We continue to monitor and study the additional guidance documents released by local Data Protection Authorities and the Article 29 Working Party to better understand our obligations. We are also continuing to lead industry efforts around comprehending how GDPR applies to its businesses. Working closely with industry groups, such as the Interactive Advertising Bureau (IAB) in the EU and the UK, we are helping to shape and create guidance materials to present to the local Data Protection Authorities and Industry as a whole that will help address existing open questions around certain GDPR requirements.
Together with Conversant, we urge our clients, partners and vendors to review and understand their responsibilities under GDPR, as compliance is a collective responsibility. This includes changes around obtaining data subjects’ consent and enhanced data subject access rights.
Information Commissioner’s Office (ICO UK Data Protection Authority)
Overview of the General Data Protection Regulation (GDPR)
Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now
Guidance: What to Expect and When
Interactive Advertising Bureau (IAB)
IAB UK GDPR Checklist
IAB Europe GIG: Working Paper on the Definition of Personal Data
Legitimately using Legitimate Interests – New Guidance