Recently violations of GDPR have resulted in record fines for online platforms that have been ruled not to have adequately protected their user's privacy online. For any business – not just social media platforms – with a global online presence and significant user-generated content, GDPR compliance is a critical business risk that must be addressed to reduce potential liability and regulatory action.
Spectrum Labs' solutions are fully GDPR (and CCPA) compliant, allowing our clients to moderate user-generated content efficiently worldwide at scale across multiple languages without the legal risk of Personally Identifying Information (PII) data.
But what exactly is the GDPR? Why was it created, who does it impact, and how do you make sure your business complies with it? Read on for a complete primer on the subject, as well as recommendations for ways to protect your business.
Compliance with GDPR is a top priority for Spectrum Labs. We've put considerable effort into mitigating risk for trust and safety, information security, privacy, and data compliance teams at the Internet platforms that work with us.
What is GDPR?
GDPR doesn't bar companies from using consumer data; it is a data privacy regulation that rules how companies collect, process, store, and share regulated data. First and foremost, GDPR requires a legal basis for data collection and usage. Consumer consent is one such legal basis; user safety is another.
GDPR also mandates that any entity that collects, processes, stores, and shares data must respect the consumer's rights in the regulation and that all data is handled according to the seven principles in the law. User privacy and data security are foundational to Spectrum Labs. There are two ways Spectrum Labs collects platform data while keeping compliance; through data minimization or de-identification of the data that is not minimized.
Why do we go through this process when safety is a legal basis? Trust & Safety improves when learnings from one platform are applied to another and vice versa. To share those learnings across platforms, all PII is scrubbed or pseudonymized.
This PII scrubbing or pseudonymization of all data enables us to create safer online communities while respecting user privacy and assuring our clients that our data processes are fully GDPR compliant.
Learn more in Spectrum Labs GDPR compliance statement.
Why was the GDPR enacted?
Over the past decade, the digital ad-tech ecosystem has worked diligently to help marketers reach and engage their users as they go about their digital lives. The opportunity was huge -- and so were the investments in the sector (in 2011, there were only 150 unique companies on the Lumascape, in 2018, there were 7,000!).
But there was a problem: nearly all targeting was based on cookies and personal data, and consumers began to voice concerns about their lack of privacy. The EU listened to those complaints and responded by enacting General Data Protection Regulation (GDPR), which went into effect in 2018. In the process, the EU upended the third-party behavioral data market.
GDPR is a set of regulations designed to protect the EU consumer’s privacy and data. It lays out eight specific rights for all consumers, such as the right to be informed of how their data is used by parties that collect it, and the right to be forgotten.
Who needs to comply with GDPR?
GDPR applies to all companies, including internet platforms, that process the personal data of EU citizens or residents, or offer them goods and services, even if an entity is not located within the EU.
Article 4 of GDPR defines two types of entities that collect data:
-
Data Controller. The entity (person, organization, etc.) that determines the why and the how for processing personal data. You are a data controller if you're an internet platform collecting user data for registration and general usage.
-
Data Processor. The entity that processes data on behalf of the controller. Let's say you partner with a marketing automation platform that stores and activates your customers' data. That marketing automation company is a data processor.
You are your vendor's keeper.
Keep in mind that as the Data Controller, you must ensure your Data Processors are in full compliance with GDPR. Recital 74 expressly states that the "controller” is entirely responsible and liable for processing done on its behalf by a third party:
“The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should consider the nature, scope, context, and purposes of the processing and the risk to the rights and freedoms of natural persons.”
How to be GDPR complaint
Compliance requires more than prompting consumers to accept cookie settings when they arrive on a website and storing that consent somewhere. It requires that all companies respect the eight individual rights laid out in the law (listed below) and comply with seven principles for handling and processing that data.
GDPR guarantees the following eight individual rights to all EU citizens:
- The right to be informed of how their data will be used, in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”
- The right of access, meaning the “right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”
- The right to rectification gives EU consumers the “right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.”
- The right to erasure, also known as the right to be forgotten.
- The right to restrict processing in cases where the consumer contests the accuracy of the data collection is unlawful, no longer needed by the controller, or needed for the purposes for which consent was provided.
- The right to data portability, meaning the consumer can share his or her personal data with another controller if desired.
- The right to object to data being collected or processed unless “the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defense of legal claims.”
- Rights in relation to automated decision-making and profiling. Consumers can opt not to be profiled via a machine.
GDPR also requires organizations to adopt seven fundamental principles, which they describe specifically as:
|
Lawfulness, fairness, and transparency |
Processing must be lawful, fair, and transparent to the data subject. |
|
Limitation of purpose |
You must process data for the legitimate purposes specified explicitly to the data subject when you collected it. |
|
Data minimization |
You should collect and process only as much data as absolutely necessary for the purposes specified. |
|
Accuracy |
You may only store personally identifying data for as long as necessary for the specified purpose. |
|
Storage limitation |
You may only store personally identifying data for as long as necessary for the specified purpose. |
|
Integrity and confidentiality |
Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption). |
|
Accountability |
The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles. |
Legal Basis & Trust & Safety Carve-Outs
GDPR isn't a complete ban on the collection and processing of data. Instead, it requires a data controller or processor to have a "legal basis" for processing data. User consent is the legal basis we hear about most often, but there are others, including safety. GDPR describes those other legal bases as:
- Processing is necessary to satisfy a contract to which the data subject is a party.
- You must process the data to comply with a legal obligation.
- You need to process the data to save somebody’s life.
- Processing is necessary to perform a task in the public interest or to perform some official function.
- You have a legitimate interest in processing someone's personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.
GDPR doesn't require data controllers to delete customer data within a specific timeframe. Your company is free to store the data you collected for as long as you like for safety reasons.
Keep in mind that any data you collect to ensure Trust & Safety in your community can only be used for that purpose. As the GDPR Regulator clearly says in its company guides, “You only need to choose one legal basis for data processing, but once you've chosen it you have to stick with it."
Repercussions for Non-Compliance
GDPR fines are "designed to make non-compliance costly for both large and small businesses." The less severe infringements can result in €10 million, or 2% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher. More serious infringements can result in €20 million, or 4% of the firm's worldwide annual revenue.
There are other considerations of equal importance. When your company adheres to privacy requirements, you tell your customers that you value their privacy and respect them as individuals. You also avoid reputational risk.
Spectrum Labs GDPR Statement
Please Note: We are not GDPR specialists and can't offer legal advice. If you have questions about GDPR, we strongly recommend you contact, and work with, your own experts, lawyers, consultants, et al. for advice relating to your unique situation.
