VigLink is focused on educating employees on the nuances of the new GDPR legislation. We recognize that the security of personal information is an ever-increasing concern for our customers and we approach the GDPR legislation as an opportunity to enhance the robust compliance practices already in place at VigLink. Utilizing data responsibly and ethically is core to our mission of maximizing the value we provide to our incredible publishers and merchant partners. To this end, VigLink is taking the following measures to ensure GDPR compliance:
- Appoint internal stakeholders to manage the GDPR compliance process and ensure that VigLink practices and procedures center around the responsible use of personal data.
- Ensure that VigLink remains an industry leader for the secure collection, storage, and transmission of personal data.
- Improve upon existing, comprehensive compliance program.
- Accelerate our ability to identify and mitigate potential security risks.
- Emphasize the privacy-by-design ideal in our product development process.
- Evaluate third-party tools and services that help facilitate GDPR’s access and consent policies for VigLink Publishers.
- Review agreements and contracts with third parties to ensure compliance with the regulatory framework.
- Update our internal privacy policies, disclosures, and agreements to provide maximum transparency into how personal data is collected and used.
What is GDPR?
The European Union General Data Protection Regulation (EU GDPR) is new legislation governing the use of personally identifiable information across all EU markets. It expands on the previous regulations governed by the EU Data Protection Directive, adopted in 1995. The GDPR is intended to provide consumers with more direct control of how their personal information is processed and used. Although the UK may choose to leave the EU in the future, the British Government has stated that it intends to implement the legislation equally alongside EU nations. Significantly, the GDPR introduces increased sanctions for noncompliance stipulating fines of up to €20m or 4% of annual turnover (whichever is greater) for organizations that are not compliant with the new laws.
When does GDPR take effect?
May 25, 2018
Who is affected by the new GDPR Legislation?
Any business or site that collects, uses, or processes personal data from individuals in the EU, offers goods or services to EU residents, has a physical presence in the EU, or monitors the activity of EU residents.
What are the legal grounds for collecting Personally Identifiable Information?
GDPR legislation requires that you have a lawful basis for collecting Personally Identifiable Information (PII) and provides six legal grounds for doing so:
- Individual Consent: The individual has proactively provided clear, informed permission for the collection of their data.
- Legitimate Interests: Processing personal data is essential to the functioning of your business. For example, to ensure compliance or prevent fraudulent activity.
- Contractual Obligation: The processing of personal data is required for the fulfillment of an agreed upon contract.
- Legal Obligation: The processing of personal data is required to comply with a statutory obligation or common law.
- Vital Interests: The processing of personal data is necessary to protect or save someone’s life.
- Public Interest or Task: The processing of personal data is necessary in the exercising of official authority. This ground covers public functions and powers that are set out in law or those performed as a specific task in the public interest, as stipulated by the law.
What is considered Personally Identifiable Information under GDPR?
The GDPR defines ‘personal data’ as any information relating to an identifiable person who can be directly or indirectly identified, in particular, by reference to an identifier. Personally Identifiable Information (PII) includes a wide range of data points which are attached to a specific consumer identity, including:
- Traditional PII such as: legal name, physical address, email address, payment information, etc.
- Identification numbers like: social security numbers, driver’s license numbers, etc.
- Online identifiers like: cookie IDs, IP address, device ID, browser agent, etc.
- Sensitive data like: gender preference, racial identity, sexual orientation, health data, genetic data, biometric data, religious and/or political affiliation, etc.
Where can I learn more about GDPR?
The IAB and ICO have provided outstanding resources for publishers to further educate themselves on their responsibilities under the new GDPR legislation. To learn more about how to comply with the new policies, please reference the following two sites:
- IAB UK GDPR Hub
- ICO Guide to GDPR
This blog post is intended to be supplemental educational information. It was not written by a lawyer and does not constitute legal advice. You will want to confer with your own legal counsel about obligations for your business under the new GDPR legislation.