The European Union General Data Protection Regulation (GDPR) will become effective on May 25th, 2018 and our customers have been asking for advice and information on how we’re taking it into consideration. We want to share answers to the most pressing questions social media advertisers might have when using or considering Smartly.io as an optimization and automation partner.
What is the GDPR and will it apply to our company?
In a nutshell, the GDPR sets forth requirements for how companies can handle the personal data of individuals in the EU. It lays down procedural, security and documentation related obligations for companies, and it gives comprehensive rights to the individuals whose personal data is being collected and processed.
Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is someone who can be identified, either directly or indirectly, in particular by reference to an identifier such as their name, an identification number, location data or an online identifier.
If your company is based in the EU, GDPR will apply to your processing of personal data. If your company is not based in the EU but offers goods or services to persons in the EU or monitors such persons’ behaviour in the EU, the GDPR will also govern such processing of personal data.
What does GDPR mean in practice?
The GDPR will replace the existing EU Data Protection Directive from 1995. While strengthening the rights of individual data subjects such as online shoppers, the GDPR creates its fair share of new and more stringent obligations for:
- controllers: those who determine the purposes and means of the processing of personal data and
- processors: those who process personal data on behalf of controllers.
For example, due to a new principle of accountability, each company processing personal data needs to be able to show its compliance with the GDPR obligations and, in practice, maintain documentation about their data processing activities. When a controller passes personal data to a processor, they must agree in writing on why and how the personal data is processed and the agreement must contain all the requirements set forth by the GDPR. This agreement is commonly referred to as a Data Processing Agreements or DPA in short.
In cases of non-compliance, GDPR obligations are enforced by significant fines that can be up to 20 million EUR or 4% of the company’s worldwide annual revenue for the previous financial year for more egregious violations, such processing data for an unlawful purpose or not allowing data subjects to exercise their rights.
How does the GDPR impact a social media marketer using Smartly.io?
In the context of social media marketing, the main traffic of personal data still occurs between the advertiser and the social media platform like Facebook. Smartly.io’s service simply allows advertisers to access the Facebook ecosystem and to improve their performance with the help of our solutions and features. The GDPR mostly affects the dynamics between the end customer, social media platform and the advertiser.
In general, the GDPR creates new obligations for companies. A few of the main actions social media advertisers should take into consideration include:
- Being aware of what personal data they process and for which purpose
- Allowing data subjects to exercise their rights such as
- "the right to erasure" requiring the controller to erase personal data after the data is no longer relevant or upon withdrawal of consent and "the right to access" requiring the controller to inform data subjects upon request whether their personal data is processed and for what purposes
- Making sure all their partners are GDPR compliant and contractual liabilities are clearly defined
- Having processes in place in case things don’t go right and reporting data breaches promptly after becoming aware of them
- Agreeing, usually in a Data Processing Agreement, on the means and purpose of processing when giving data for processing to third parties.
How is Smartly.io preparing for the GDPR?
Smartly.io began its GDPR preparation project in 2017, to ensure enough time to implement necessary changes. We hired experienced external experts to audit - in close cooperation with our internal GDPR project team - all our personal data flows, partner relationships, security measures and internal processes. Based on the results of this thorough examination of Smartly.io’s processes, we have made the necessary adjustments, organized training for our team, and prepared the required documents to ensure full compliance with the GDPR before its effective date in May.
Even though the personal data processed by us on behalf of our customers is very limited, we understand that the social media advertising environment and our customers’ needs may change in the future. Thus, we have prepared for the potential changes in the way personal data might be processed on behalf of our customers and we will implement all the necessary documents needed to ensure compliance.
It’s the 25th of May 2018 - what now?
The world will not immediately go up in flames when the GDPR enters into force, and the implementation and compliance with the GDPR should not be regarded as an insurmountable obstacle to anyone’s business. Working with Smartly.io you can rest assured that in addition to caring for your online advertising performance, we care for privacy and security considerations. To us, this is not only a one-time exercise tailored for the entertainment of privacy enthusiasts. Since our mission is to be the most reliable and trustworthy social media advertising partner, we want to ensure our business operates securely and in harmony with the GDPR - and also stays GDPR compliant as we move forward with our customers.