As a UK-headquartered company, Ve Global is primarily following the advice of the UK Information Commissioners Office (ICO) to ensure it is meeting its obligations under GDPR. The ICO lay out 12 key steps for GDPR preparedness.
Status: as of 18th March, 2018
Ve is working on ensuring all relevant Ve staff and clients are aware of the GDPR and e-Privacy regulations and that appropriate training and information is made available. As of March 2018 this includes:
- The creation of Ve GDPR hub for Ve Clients
- Internal briefing materials for all staff
- Training in the use of Data Privacy Impact Assessments
2. Information Audit
The GDPR requires organisations to maintain records of all processing activities and the legal bases for processing such data. Ve is currently preparing a full data audit of all information it holds and processes and the legal basis for processing (see: Consent). It is expected the full audit will be complete in April 2018.
3. Privacy information
Ve Global is reviewing its current privacy notices in order to ensure any necessary changes are put in place in time for GDPR implementation.
4. Individuals’ rights
Ve Global will provide all customers and consumers with the following rights:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- right not to be subject to automated decision making and profiling.
Under the right of data portability Ve Global will provide information in a commonly used machine readable form, free of charge in line with the regulations.
5. Subject access requests
Ve Global will be fully compliant in handling SARs within the required one month from receipt deadline under the GDPR. The appropriate policies and procedures are currently being put in place.
6. Lawful basis for processing personal data
Businesses require a legal basis for processing personal data. There are six legal bases available, the two most commonly used in the digital advertising sector are consent and legitimate interest. This involves a balancing of the legitimate interests of Ve (for example, marketing) with the right to privacy of the individual. Ve will be relying on a mixture of these two legal bases, determined by the full data audit being carried out.
Consent plays a role across some of Ve’s data use, so getting to the bottom of what’s permissible under “legitimate interest” is key. We are following the advice of our lawyers and the ICO guidance on consent under GDPR as well as preparing for the confirmation of consent rules under the e-Privacy Regulation across our different data types and usage.
Under the GDPR, the consent of the data subject means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. The GDPR makes it considerably harder for organisations to obtain valid consent from data subjects. For organisations that rely on consent for their business activities, the processes by which they obtain consent will need to be reviewed and revised to meet the new requirements. Consent must be:
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: Give granular options to consent separately for different types of processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
Ve Global will work with clients on providing the appropriate pass-through consent wording.
Ve is assessing whether systems are required to obtain children’s consent as part of its full data audit.
9. Data breaches
Ve has in place the appropriate policies and escalation procedures in the event of a personal data breach to ensure adequate detection, reporting and investigation.
10. Data protection by design and Data Protection Impact Assessments
Ve is ensuring that all product and tech development has privacy by design built into the process. Privacy and security is core to our product development and development philosophy. Key to this is the deployment of a DPIA which will be completed for all product development.
11. Data Protection Officers (DPO’s)
Ve is in the process of hiring a dedicated data protection officer. The company already has in place a Chief Information Officer and dedicated data security team responsible for data infrastructure and security.
12. International compliance
Ve has identified the UK’s Information Commissioner’s Office as its lead supervisory authority pre-Brexit. Plans are being put in place to ensure compliance remains post-Brexit.