Disclaimer – The GDPR is a complex and evolving regulation. The below information is meant only as a guide and should not be considered legal advice. You should consult with your legal team to evaluate your own risk and practices, and to determine the next logical steps for your organization.
How GDPR Impacts Publishers and Media Companies
The Global Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and starting on that date, affected Publishers and Media companies will need to comply with the GDPR’s obligations.
What is the GDPR?
The GDPR, among other things, covers how personal data about individuals located in the EU is collected, stored and otherwise processed as well as what rights those individuals have to access, control, and delete their personal data.
The GDPR grants new rights to individuals, requires organizations collecting or otherwise processing the personal data of individuals located in the EU to meet sweeping new requirements, and empowers regulators to impose significant consequences on organizations that fail to comply.
Who is covered by the GDPR?
All companies located and operating in the EU are covered by the GDPR. The GDPR also covers companies located outside of the EU that offer goods or services to individuals in the EU, and companies that monitor the behavior of individuals in the EU.
What steps can you take?
The GDPR is a complex regulation, whose obligations apply differently to each organization. The following is a list of operational impacts the GDPR may have on you as a publisher or media company. Keep in mind that this is not a complete or exhaustive list, and the Omeda team encourages you to conduct your own analysis in consultation with your legal counsel to determine how the GDPR may apply to your company and what your compliance obligations may be.
- Review and inventory the personal data of individuals located in the EU that is processed by your company, or on your behalf by your service providers. Map the data flows for that personal data, and establish and document the lawful basis for each processing activity, whether undertaken directly by your company or on your behalf by one of your service providers.
- Establish a mechanism and protocol for responding to data subject rights requests from end users who are individuals located in the EU.
- Establish a GDPR-compliant written information security policy.
- Identify your record-keeping obligations and set up procedures to document processing activities as required.
- Establish clear compliance practices within your organization. Designate a primary internal point of contact for GDPR compliance, and determine if you are required to appoint a DPO.
What are the penalties for non-compliance?
Violations may result in regulatory fines of up to up to €20 million or 4% of the company’s global annual turnover, whichever is higher. In addition to fines, regulators could take other actions, such as shutting off access to your website to individuals in the EU, or ordering that processing activities be suspended or terminated. There also is a private right of action under the GDPR, which means that individuals in the EU will be able to sue for violations of the GDPR (for example, alleged failures to comply with data subject rights requests).
How are Omeda clients potentially impacted?
For Omeda clients, GDPR compliance impacts how personal data of EU data subjects is collected and otherwise processed directly by the client (who is the data controller) as well as on behalf of the client by its third-party data processors, such as Omeda.
There are a variety of GDPR-focused resources and materials in the marketplace, but with such a complex topic, we again recommend that our clients engage their own legal advisors to determine if the GDPR applies to their businesses and to assess whether their internal practices and documentation satisfy GDPR requirements for data controllers.
What is Omeda doing?
For Omeda clients, GDPR compliance impacts both how data is collected by the client (the data controller) vs how it is stored and accessed using Omeda’s platform (as a data processor). It is important to note that Omeda may be one of multiple data processors for a single data controller.
All data is stored and managed with our standard data management and governance system. Regardless of the data’s source (dragon form, direct import, or olytics tag), all data is viewable using the audience view section of the Omeda platform. For any user asking to be forgotten, the user’s record can be deactivated by our clients using their admin view. If you receive an inquiry about what data has been collected on a particular subject, data can be exported from the platform. Any permissions will be set by the Omeda client as our fully customizable database and permissioning structure can satisfy our client’s particular preferences and strategy. Please note that for audited publications, clients should be cognizant when deactivating a customer record that it may have been included on your past audit issue.
Omeda has also set up an email address for all GDPR related inquiries at email@example.com.
How does this impact our partnership?
According to the GDPR, controller and processor have the obligation to enter into an agreement governing the processing of personal data. Since it is not practical for Omeda to enter into different data processing agreements with each of its myriad customers, to streamline the process Omeda is finalizing its own Omeda Data Processing Addendum (DPA) to amend our existing contracts with customers, which will apply in situations where Omeda is processing personal data on behalf of its customers within the scope of the GDPR. We will provide the DPA to you shortly.
If you have any specific questions about GDPR compliance or receive an inquiry from one of your data subjects, please contact firstname.lastname@example.org.