iGB Affiliate 71 Oct/Nov | Page 55

INSIGHT
REGULATION FIT
GDPR dominated the early part of the year but it was no blip, says Asbjørn
Bieling-Hansen. With more EU regulation in the pipeline, it’s time affiliates
stopped ducking privacy compliance and grasped the opportunities
offered by new regimes
TODAY, PERSONAL DATA IS
COLLECTED at a phenomenal rate,
making it a commodity that The
Economist called “the world’s most
valuable resource ahead of oil”. This is
hardly an overstatement, considering
how much the collection of data affects
the success of a company and the
customer experience alike.
Regulation of our data processing
and data handling is an undeniable
fact. In the past few years we have seen
a lot, especially in igaming. Earlier
this year all anybody was talking
about seemed to be the General Data
Protection Regulation (GDPR). On
25 May 2018 the GDPR became
enforceable, threatening companies
with large fines if they are not
compliant. So, are we compliant?
Recent studies carried out by 451
Research suggest that, while businesses
are realising the importance of GDPR,
many are falling short in terms of
the technologies and processes they
have in place to ensure compliance.
In most cases the challenges lie in the
organisation, storing and retrieving
of data. Forbes suggests that 20% of
companies, at best, are close to full
compliance with GDPR.
Since it came into force, European
regulators have also reported
massive increases in the reporting of
complaints, with the ICO anticipating
that, as more awareness is instilled, the
number of complaints will continue
to rise. This is concerning, considering
that GDPR increases maximum fines
for malpractice to €20m (£17.6m) or
4% of a company’s global turnover,
whichever is higher. GDPR has also
encouraged more transparency among
companies, with an increase in the
reporting of data breaches since its
coming into force.
Interpreting GDPR
Over the past few months, and
very much in the week before the
enforcement of GDPR, inboxes
were flooded with a staggering
“Forbes suggests that 20% of
companies, at best, are close to
full compliance with GDPR”
amount of emails, all asking for
consent for the processing of personal
data.
As Alanis Morissette might say,
“Isn’t it ironic?” Only in this case
there actually is some irony, in that
companies asking for consent must
necessarily have had the previous
consent of that same customer to be
allowed to contact them in the first
place. Moreover, consent is only one
of five other legal bases on which
businesses can rely to process data.
These are: compliance with a legal
obligation, contractual performance,
vital interests, public interest and
legitimate interest.
What is also very important to
understand is the difference between
‘personal data’ and ‘personal
identifiable Information’ (PII). To
make the distinction, it’s important
to understand that all PII is personal
data but not all personal data is PII.
For example, the European Court of
Justice ruled in 2016 that a dynamic
IP address will in some cases be
considered personal data, while in
others it is PII.
So, when is it PII? Certainly, if any
third party can link the dynamic IP
iGB Affiliate Issue 71 OCT/NOV 2018
53