With the General Data Protection Regulation (GDPR for short) coming into force in just 72 days we take a look at how Mediaocean has prepared for compliance, and reassured our clients and partners that we are protecting their data accordingly.
Firstly, what is the General Data Protection Regulation?
GDPR is a piece of legislation passed by the European Union that updates and replaces the European Data Protection directive of 1995 and the related Data Protection laws passed in individual EU countries. It's designed to reflect the massive technological and social advancements that have happened since 1995 and strengthen the rights of individuals using social media, on-line financial services and so on, in the face of new data-gathering techniques such as biometrics and profiling. Because it’s a 'Regulation' rather than a 'Directive', it will apply automatically across all 28 countries of the EU, and supersedes local laws on the issue.
An overview of the main changes under GDPR can be found here.
How is this affecting Mediaocean and our clients?
The definition of “personal data” under GDPR is very broad - any information on an EU resident that can identify that individual, including business contact info, location data and online identifiers counts.
For Mediaocean this includes:
- The data we process in our applications for our clients in the EU – business contact information, user credentials, expense claims and payment information for agency staff, etc.
- The data we collect about our EU users in our Sales and Marketing and ticketing platforms - business contact information, voice recordings of phone calls, stats about which users contact Support most frequently and so on.
- Data that HR and Finance collect about Mediaocean staff in EU offices – payroll, health insurance information, next of kin, etc.
This means that Mediaocean can be defined as both a 'Data Controller' and a 'Data Processor' based on the data we handle and we've had to prepare accordingly.
What have we done to prepare?
Mediaocean has been preparing for GDPR since Autumn 2016. All department heads at Mediaocean were briefed on GDPR and our Compliance team began an information gathering exercise to identify and review all personal data processing (for EU citizens) by Mediaocean.
During the remained of 2016, we identified all the tools and systems we use to process personal data and ensured that we took the necessary steps to be able to export EU citizens’ data to vendors in the US and elsewhere.
Meaning we either:
- Make sure the vendor belongs to the Privacy Shield scheme, which allows US vendors to certify to EU privacy standards so that exports are allowed.
- Sign data processing agreements based on the EU Standard Contractual Clauses covering international personal data transfers, with all international vendors who are not in Privacy Shield.
In the summer of 2017 we conducted a privacy audit to further identify any outstanding risks with our personal data processing. We are in the process of updating our privacy notice on our corporate web site and it will be re-issued before the end of May 2018. All affected staff will receive GDPR training to ensure everyone understands the new safeguards we have put in place.
Externally, we've worked with our agency clients to reassure them of our information security policies and ensure that they are satisfied with our preparations.
As the GDPR enforcement date approaches, we are continuing to work both internally and externally to ensure the policies we've put in place are effective and are being adhered to by our staff, clients and vendors. The General Data Protection Regulation is ultimately about protecting and strengthening the rights of all EU citizens when it comes to how their data is managed online and Mediaocean will continue to put data security at the heart of our business.
For more information about the GDPR and what Mediaocean has done to ensure compliance, visit our support site. Existing clients can also reach out to your local Mediaocean representative for more information.
Information Commissioner's Office: Guide to the General Data Protection Regulation (GDPR)