Sign up FREE

Ve Global's GDPR & e-Privacy Centre

Welcome to Ve Global’s GDPR and e-Privacy centre. We will update the information on this page regularly with further information about Ve Global’s adherence to the new data-protection and e-privacy regulations as they become available.

Get in touch

Ve & GDPR

Like all data processors and controllers, Ve Global takes its responsibility under both the GDPR and e-Privacy Regulation seriously for both its clients and consumers. The company has been working since early 2017 on putting in place the foundations to ensure full compliance by the time the GDPR takes effect on 25 May 2018.

Until that time, all our clients and consumers should be aware that Ve Global currently adheres to all relevant data protection and privacy regulations within the EU and elsewhere.

Ve Global has appointed a leading UK law firm Lewis Silkin LLP as external legal counsel for its EU-wide GDPR and e-Privacy programme. Local advice is being taken in other territories as required to ensure full EU-wide compliance.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of personal data across the EU. It replaces current national data protection laws and the existing EU data protection framework which is over 20 years old.

The GDPR is designed to give consumers more control over their personal information and applies across the EU. Regardless of Brexit, the British Government has stated it intends to implement the legislation. It is important for all data processors and controllers to ensure they are GDPR compliant by 25 May 2018.

What is e-Privacy?

The proposed ePrivacy Regulation will replace the 2002 ePrivacy Directive (amended 2009), which gave us the UK’s Privacy and Electronic Communications Regulations 2003 (PECR), also known as the ‘cookie law’. PECR sit alongside the Data Protection Act in the UK and give people specific privacy rights in relation to electronic communications including, amongst other things, rules on marketing calls, emails, and cookies (and similar technologies).

The existing EU cookie directive resulted in banner pop-ups that appear on websites asking for consent to collect cookies. The cookie law also applies to email, SMS and call marketing content. The new e-Privacy Regulation aims to simplify provisions on cookies by giving more choice to users and replacing the existing banners, having deemed them annoying, as well as increased transparency. However, the alternative for any businesses dropping cookies on visitors may result in, ironically, more banners. Publishers, brands and anyone collecting or analysing data for the purposes of advertising will have a high barrier to gaining consumer consent.

GDPR Compliance

As a UK-headquartered company, Ve Global is primarily following the advice of the UK Information Commissioners Office (ICO) to ensure it is meeting its obligations under GDPR. The ICO lay out 12 key steps for GDPR preparedness.

Status: as of 18th March, 2018

1. Awareness

Ve is working on ensuring all relevant Ve staff and clients are aware of the GDPR and e-Privacy regulations and that appropriate training and information is made available. As of March 2018 this includes:

  • The creation of Ve GDPR hub for Ve Clients
  • Internal briefing materials for all staff
  • Training in the use of Data Privacy Impact Assessments

2. Information Audit

The GDPR requires organisations to maintain records of all processing activities and the legal bases for processing such data. Ve is currently preparing a full data audit of all information it holds and processes and the legal basis for processing (see: Consent). It is expected the full audit will be complete in April 2018.

3. Privacy information

Ve Global is reviewing its current privacy notices in order to ensure any necessary changes are put in place in time for GDPR implementation.

4. Individuals’ rights

Ve Global will provide all customers and consumers with the following rights:

  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • right not to be subject to automated decision making and profiling.

Under the right of data portability Ve Global will provide information in a commonly used machine readable form, free of charge in line with the regulations.

5. Subject access requests

Ve Global will be fully compliant in handling SARs within the required one month from receipt deadline under the GDPR. The appropriate policies and procedures are currently being put in place.

6. Lawful basis for processing personal data

Businesses require a legal basis for processing personal data. There are six legal bases available, the two most commonly used in the digital advertising sector are consent and legitimate interest. This involves a balancing of the legitimate interests of Ve (for example, marketing) with the right to privacy of the individual. Ve will be relying on a mixture of these two legal bases, determined by the full data audit being carried out.

7. Consent

Consent plays a role across some of Ve’s data use, so getting to the bottom of what’s permissible under “legitimate interest” is key. We are following the advice of our lawyers and the ICO guidance on consent under GDPR as well as preparing for the confirmation of consent rules under the e-Privacy Regulation across our different data types and usage.

Under the GDPR, the consent of the data subject means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. The GDPR makes it considerably harder for organisations to obtain valid consent from data subjects. For organisations that rely on consent for their business activities, the processes by which they obtain consent will need to be reviewed and revised to meet the new requirements. Consent must be:

  • Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
  • Granular: Give granular options to consent separately for different types of processing wherever appropriate.
  • Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
  • Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

Ve Global will work with clients on providing the appropriate pass-through consent wording.

8. Children

Ve is assessing whether systems are required to obtain children’s consent as part of its full data audit.

9. Data breaches

Ve has in place the appropriate policies and escalation procedures in the event of a personal data breach to ensure adequate detection, reporting and investigation.

10. Data protection by design and Data Protection Impact Assessments

Ve is ensuring that all product and tech development has privacy by design built into the process. Privacy and security is core to our product development and development philosophy. Key to this is the deployment of a DPIA which will be completed for all product development.

11. Data Protection Officers (DPO’s)

Ve is in the process of hiring a dedicated data protection officer. The company already has in place a Chief Information Officer and dedicated data security team responsible for data infrastructure and security.

12. International compliance

Ve has identified the UK’s Information Commissioner’s Office as its lead supervisory authority pre-Brexit. Plans are being put in place to ensure compliance remains post-Brexit.

Ve and e-Privacy

The e-Privacy Regulation has been brought into line with the GDPR, as a result of which a large number of the definitions and concepts of the Privacy Regulation must be read and interpreted in line with GDPR. The sanctions are the same. Ve is therefore working on its longer term compliance plan for e-Privacy as well as the GDPR. We are already incorporating ePrivacy proposals into our roadmap because so much of it is inextricably linked to the GDPR and the fines will be aligned.

However, on 25th January 2018, the European Parliament confirmed that the e-Privacy Regulation is not ready to coincide with GDPR implementation and that there is no forecast on when the e-privacy provisions will be in force. Some issues still remain where decisions need to be taken, for example, the question of transparency and browser settings, and restrictions on data retention. This means that we have to wait for the rules pertaining to cookies and can concentrate our efforts on ensuring we meet the deadline for GDPR.

Frequently asked questions

What is the controller processor distinction? And what role applies to Ve?

A data controller is defined under GDPR as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.

A data processor is defined under GDPR as a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Under the GDPR, controllers still bear the primary responsibility for compliance, although processors also have direct compliance obligations. Whereas Ve used to position itself as a processor, Ve is currently in the process of establishing its role as controller or processor (or, most likely, both) which will vary depending on the purpose of the collection of personal data. It is important to remember that it is possible to be a controller and processor over the same set of data, depending on what you do with that data and depending on the processing activities. It is also possible for two different companies to be joint controllers in relation to the same data.

Will Ve be compliant by the deadline?

Ve will be compliant by the deadline.

What can clients expect to see from Ve in the coming months?

Ve is reviewing its commercial contracts involving personal data and will be amending these in due course to ensure both supplier and customer contracts are GDPR compliant. Ve will be amending its Framework Agreement with customers as well as it’s privacy and cookie statements and introducing a new Data Processing Agreement. Ve is already working on a data strategy with some of its key partners/affiliates.

What security measures has Ve taken to protect its data?

Ve has taken appropriate measures to ensure the security of processing and cyber security more generally. Ve’s dedicated Information Security Committee has been working for more than 2 years towards ISO 27001 accreditation. ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security management system (ISMS): people, processes and technology. By implementing ISO 27001, Ve will be deploying an ISMS that is supported by top leadership and constantly monitored and reviewed to continually identify and reduce risks.

The GDPR states in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

Does Ve use encryption?

As to encryption specifically, Ve’ encrypts personal data at the point of collection via Ve’s javascript. From that point on such personal data is relayed in an encypted form and transmitted between Ve’s services and stored in that form. In cases where Ve needs to access the personal data, such as when sending emails to consumers as part of our services to clients, such data is retrieved from the data store and decryption is carried out. Decryption is only used when absolutely necessary for the provision of the services. For the avoidance of doubt, data storage is always encrypted.

The current scope of encryption includes PII data such as emails and phone numbers. We take care to only collect relevant personal data and therefore do not handle many data types, such as passport numbers, credit cards or address information.

In addition to encryption, we are looking at anonymising, simplifying and hashing solutions for other less sensitive user data.

Get started today

We’re here to help you provide meaningful growth for your business regardless of your size or sector.

Get started FREE