Defining the GDPR Impact on Digital Advertising ( E D I T I O N 1 . W H I T E PA P E R )Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. 15+ 2 3 4500+ Defining the GDPR Impact on Digital AdvertisingH OW DO E S G DPR A P P LY TO YOU R B U S IN ESS The General Data Protection Regulation or GDPR is the overall regulation on the protection and handling of personal data for the European Union coming into force from May 25, 2018. No one working in digital marketing or indeed any business that deals with personal data doubts the importance of the GDPR. It brings changes to existing data protection law, and is designed to strengthen rights and empower individuals by giving them more control over their personal data. Things such as clear consent and data protection principles are given greater emphasis. These changes to data usage could potentially have a huge impact on businesses and the way they handle their customer data. If you're an advertiser, publisher or other Rakuten Marketing partner dealing with customer data, it's very important for you to have a robust compliance regime in place. If businesses aren't compliant by May 25, 2018, the consequences could be drastic: warnings of fines of up to 4% of annual global turnover, or 20,000,000 EUR have been clearly laid out. It may sound simple but one of the first steps to GDPR compliance is understanding whether the new EU regulations apply to your business. If you're not in the EU, it could be easy to assume that the GDPR won't affect you, when in reality this is far from the case.Does the GDPR apply to your business SimplifiedDoes your business collect, use or process personal dataNOGDPR not applicable (But other privacy protection laws may apply)YESIs an office of your business in the EUNODoes your business offer services to the EUNODo you monitor individuals in the EUNOYES YES YESGDPR is applicable.Although the regulation is for the European Union, its significant impact is global. We've created this simplified diagram to help give you a clear, top-line understanding of whether the GDPR is likely to apply to your business.Defining the GDPR Impact on Digital AdvertisingWHY I S T H I S R EG U L AT I O N B E I N G I M P L E M E NTED The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This allows EU consumers more rights or control on how their personal data being processed. These rights apply at any time, even if the consumer has previously agreed to the processing. These rights vary based on the type of processing grounds used. Access: Access to what personal data has been collected and how it has been processed. Accuracy: The right to correct processing where data is inaccurate. Consent: Performance of a contract cannot be made conditional on consent, and consent must be sought through clear and plain language separate from other information. Data Portability: the right to receive personal data for free and in an electronic format, upon request, including where it's being used and for what purpose. Erasure (right to be forgotten): The right to withdraw consent and ask for personal data to be erased and no longer processed. This also requires that data controllers take reasonable steps to ensure the data is also deleted by any third parties it's been shared with. PROCE SS I NG DATA The GDPR changes how publishers and brands operate when it comes to processing data. The regulation requires that digital advertisers take restrictive measures for collecting, processing and using consumer data for marketing purposes. These are some of the categories and types of personal data that are at stake: Traditional PII: Name, address, phone number and email. Online Identifiers: IP address, cookie ID's, and device ID's. Sensitive data: Racial identity, Religious and political affiliation, Health, genetic data, Biometric data, Sexual orientation and gender preference The regulation also outlines data protection principles that are required by brands and publishers when processing personal data of EU consumers: 1. Fair and transparent A person needs to know why and how his or her data will be used. 2. Purpose limitation Data can only be used for the reason it was collected. 3. Data minimization No more data can be collected than necessary for its purpose 4. Storage limitation If the data is no longer necessary, it must be deleted. 5. Confidentiality and integrity Data must be stored in a secure manner. 6. Accountability Compliance with the data protection principles must be provable. H OW R A KUT E N M A RK ET IN G IS WORK IN G TOWA R DS COM PLI A N CE WI TH THE G DPR Rakuten Marketing has been working diligently to become compliant ready in time for the May 25, 2018, deadline. Here are a few of the key things we're doing, on a global level, to ensure our business is ready for the changes. Rakuten Marketing will be pushing Consent as the primary legal processing ground for our services. This will apply to the European。。。。。。

