General Data Protection Regulation (GDPR) Client Information
The proliferation of digital, mobile and internet-enabled devices means there is now more data than ever before about people’s preferences, interests, behaviour, location and movements. At dentsu, we specialize in leveraging data and audience insights to deliver a competitive advantage to our clients. To offer our transformational services, we invest in data and analytics innovation, data platforms and technological capability. And with data so fundamental to the success of our clients’ business objectives, we prioritise data protection and privacy compliance across our global operations. We aim to set the pace for our industry on data protection. The leadership and presence of a Global Data Protection Officer, supported by Chief Data Officers and specialist Legal and Technology teams, are key steps to providing governance in data protection across our global network and to setting high industry standards. These teams also work to ensure that our global data protection framework meets with our obligations under local regulations and the pending General Data Protection Regulation (GDPR).
The purpose of this document is to provide our clients with a better understanding of how dentsu is preparing for the GDPR.
Q: What is the GDPR?
A: The GDPR will replace the existing EU data protection law (the Data Protection Directive 95/46/EC) and will be the biggest revision of privacy laws in over a decade. The aim of the GDPR is to harmonise privacy law across all EU member states and to help promote the digital economy. It will also introduce new legal rights for individuals to better control and protect their personal data. Organisations holding personal data will need to provide evidence of compliance if requested to do so by clients or regulators.
Q: When does the GDPR come into force?
A: The GDPR will come into effect across the EU from 25 May 2018.
Q: Who does the GDPR apply to?
A: In addition to those organisations based within the EU, the GDPR will also apply to an organisation operating outside of the EU if that organisation offers goods/services to or monitors the behaviour of people in the EU. For example, the GDPR could catch a US-based client whose website uses tracking technology to collect personal data to create profiles of EU residents.
Q: Does “Brexit” mean the GDPR won’t apply to the UK?
A: The GDPR will come in to effect across the EU from 25 May 2018. As the UK will still be a member of the EU at this date, the GDPR will also apply to the UK, and will continue to apply after its eventual exit from the EU. The UK government has confirmed this approach.
Q: How is dentsu preparing for the GDPR?
A: Dentsu has a dedicated team of data protection, legal and technology specialists who review its processing of personal data. They will ensure dentsu is compliant with the GDPR in time for the May 2018 deadline. Dentsu only processes consumer data in line with clients’ instructions. We work with our clients to ensure they understand and are comfortable with how their consumers’ personal and other data is being used.
To ensure that dentsu is GPDR compliant and meets the expectations of our clients, we have the following measures in place:
- A dedicated group of professionals, including our Global Data Protection Officer, a network of Chief Data Officers, data protection lawyers, data specialists, security personnel, and technology teams, who work to ensure privacy and data compliance across our global business.
- Targeted data protection training for our employees. This includes eLearning modules, on-line resources and face-to-face training for higher risk groups.
- An internal data governance framework to review how client and other data is being used and protected while in our custody.
- Data security policies and controls in place globally, which are continually tested and evolved to keep pace with evolving regulations and governance requirements.
- Controls that ensure that we only use data in accordance with our clients’ instructions. From a legal perspective, dentsu is typically a ‘data processor’ in relation to personal data while the client is the ‘data controller.’
Q: How does dentsu securely manage data?
A: At dentsu we recognise that the security environment is constantly evolving. Our security programme is regularly reviewed and aligned to industry standards, including ISO27001 and NIST. In the unlikely event of a data security incident, processes are in place to isolate and manage incidents to conclusion.
Q: Will the GDPR stop dentsu using personal data?
A: The GDPR does not stop or hinder the use of personal data in advertising; however it does place a greater focus on business accountability and transparency to consumers around how their personal data is being used. At dentsu, we see the GDPR as an opportunity for brands to build greater consumer trust and confidence through these new requirements, like privacy by design and data portability, as well as the new standard for consent.
Q: What is the new standard for consent?
A: Under the GDPR, there will be a stronger focus on obtaining consumer consent in a transparent and unambiguous manner e.g. not ‘hidden’ in terms and conditions or assumed through pre-ticked boxes. This may require a change in practice for some businesses that currently rely on “deemed” or assumed consent. It is worth bearing in mind that consent is not the only way of lawfully collecting consumer data. Legitimate interests may prove a useful alternative to consent. Dentsu will be working closely with its clients and suppliers to ensure appropriate and necessary protections for consumers within the overall GDPR compliance framework.