GDPR and Conversant: How we have, and will continue to prepare

Both Conversant and CJ Affiliate by Conversant support the principle of GDPR – to strengthen and unify data protection for all individuals in the EU – and are already well positioned to provide compliant services. While the implementation of GDPR by the EU evolves, this is how Conversant and CJ Affiliate by Conversant have, and are continuing to prepare for its launch.

GDPR: What, when and why?

On May 25, 2018, the General Data Protection Regulation (GDPR) is going into enforcement. GDPR replaces the existing data protection law in the EU called the EU Data Protection Directive. It is a regulation that intends to strengthen and unify data protection for all individuals in the European Union.

GDPR will significantly affect organisations worldwide which collect and/or process personal data of individuals working, visiting or residing in the EU. Specifically, the regulation impacts how companies collect, process, retain and delete personal data. For instance, there are new, enumerated obligations around breach notification and “accountability.”

How Conversant is continuing to prepare

Conversant has been working hard to prepare for GDPR, and will continue to do so as its implementation by the EU evolves. In particular, Conversant has:

Educated senior executives about GDPR obligations, and will continue to do so;
Created a network of associates charged with ensuring compliance with GDPR for each business practice;
Been building tools and processes that meet GDPR's access and choice requirements;
Provided and will continue to provide training to associates around the enumerated obligations of GDPR, such as responding to data subject access requests;
Brought its data inventory and mapping process up-to-date, including revising its data classification standards, per the refined definitions of Personal Data in the GDPR;
Continued to ensure it has a lawful basis to collect, use and store data, as enumerated by GDPR;
Created, and will continue to update, its GDPR remediation and implementation plans by solidifying its internal privacy network and appointing privacy “champions” in each business practice;
Continued to review and update policies around data subjects’ rights as outlined under GDPR;
Continued to review and update security procedures and policies to determine what, if any, additional procedures or policies it will need to revise or implement to ensure its compliance;
Commenced revising agreements with clients and vendors to reflect contractual requirements set forth in GDPR.

Conversant has created teams of associates from cross functional business lines to manage our GDPR preparation. These include technologists, engineers, security professionals and the legal team. These teams work together to review our services and technology platforms to help safeguard both Conversant and its clients.

Conversant continues to monitor and study the additional guidance documents released by local Data Protection Authorities and the Article 29 Working Party to better understand its obligations. Conversant is also continuing to lead industry efforts around comprehending how GDPR applies to its businesses. Working closely with industry groups, such as the Interactive Advertising Bureau (IAB) in the EU and the UK, Conversant is helping to shape and create guidance materials to present to the local Data Protection Authorities and Industry as a whole that will help address existing open questions around certain GDPR requirements.

Conversant urges its clients, partners and vendors to review and understand their responsibilities under GDPR, as compliance is a collective responsibility. This includes changes around obtaining data subjects’ consent and enhanced data subject access rights.