Navigating the EU GDPR

Navigating the EU GDPR

The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Learn about the regulation and its impact on the digital advertising industry. Better understand GDPR's impact on your business’s data processing activities? IAB and the IAB Global Network are here to help you navigate this new regulation.

What is GDPR?

The GDPR establishes new requirements on companies that collect, use, and share data about EU citizens. As of May 25 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not. Companies that fail to comply with these new rules could be subject to fines as high as 4% of annual global revenue. Several key definitional changes that impact the digital advertising industry include:

A broader definition of personal data that includes IP addresses and cookie identifiers: Article 4.1: “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

A higher standard for establishing valid consent: Article 4.11: “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

The introduction of the concepts of profiling and automated decision making: Article 4.4: “profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”

Companies must provide users the ability to exercise the following rights over their personal data:

Transparency (Articles 12-14): Companies are required to provide information to individuals about the processing of their personal data (generally through the privacy policy). Notice to individuals should be easily accessible and concise, and must meet specified content requirements.
Right of Access (Article 15): Upon request by a data subject, companies must provide information about the purposes of the processing and the categories of the data processed, among other information. If asked, companies must also provide data subjects with a copy of their personal data in a structured, commonly used and machine-readable format for a reasonable fee.
Right to Rectification, Erasure and Restriction (Articles 16-20): Companies must allow data subjects the ability to correct inaccuracies in their personal data, withdraw consent and erase their data, and restrict the processing of their data if the accuracy of the data is challenged.
Right to Object to Profiling and Automated Decision-Making (Articles 21-22): A data subject may object to processing of their personal data based on profiling or automated-decision making. In case of an objection, companies must cease any further processing unless the company can demonstrate legitimate grounds for processing that override the interests, rights and freedoms of the data subject.

Download the IAB GDPR
Overview & Compliance Check List

Introducing the GDPR Transparency & Consent Framework

Launched on April 24, 2018, the GDPR Transparency & Consent Framework (Framework) has a simple objective – to help all companies in the digital advertising chain ensure that they comply with the EU’s General Data Protection Regulation when processing personal data or accessing non-personal or personal data on user devices.

The Framework is particularly relevant for “first parties,” publishers and other suppliers of online services, who partner with “third parties” (vendors) to enable those third parties to process user data on one of the legal bases laid down by the Regulation, including both legitimate interests and consent, where applicable. The Framework standardizes the capture of user consent for data processing and “signals” this information across the advertising supply chain. It is open-source, not-for-profit with consensus based industry governance led by IAB Europe with significant support from industry parties and technical support from IAB Tech Lab.

A key piece of the Framework is a unique registry of third-party data controllers, a Global Vendor List, on whose behalf consent may be requested by the first parties that have the direct interface with users.

How will GDPR affect you and your business?

If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe.

Fines can be high for non-compliance with GDPR: Serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue, whichever is higher. Advertising identifiers are now explicitly within the scope of personal data and companies that collect and use these identifiers must demonstrate a valid legal basis for doing so.

New obligations for demonstrating valid consent will require companies to go beyond existing “cookie banners”.

Download the GDPR Cheat Sheet (PDF)

More Resources on GDPR

Here are some links and resources with more information about the EU General Data Protection Regulation (GDPR):


Alex Propes
[email protected]
Tech Lab
Jennifer Derke
[email protected]

Get Involved

Learn more about consent solutions in a programmatic environment: join the IAB Tech Lab GDPR Technical Working Group and attend related events, such as the GDPR/ePrivacy Town Hall, which happened this past February 20, 2018.


Past Events

The Transparency and Consent Framework: A Technical How-To and Q&A

The Transparency and Consent Framework: A Technical How-To and Q&A 2

Watch the GDPR Publisher Roundtable Video