A GDPR primer for broadcasters

The European Union’s General Data Protection Regulation (GDPR) came into force in May 2018, to much fanfare. Here’s a quick look at what it means for the way that broadcasters manage their users’data.

Key requirements
There are two key things broadcasters must do to comply with GDPR:
1) Appoint a DPO
Firstly, broadcasters must appoint a Data Protection Officer. They must also carry out regular audits of their databases in order to document all of the personal data they hold, where the data comes from and how the data is processed.
2) Ensure data protection by design
Data protection must be built into products and services “by design and by default”, which means that “appropriate technical and organizational measures” are necessary.
GDPR applies to data that allows a person to be identified directly or indirectly. Online and connected equipment identifiers, cookies and IP addresses are regarded as personal data. There are several ways of ensuring that access to this data is secure, and encryption is no longer sufficient:
- Minimization
Minimizing data is the one of the quickest solutions to implement because it avoids the need to store personal data that is not critical to the smooth running of a business process.
- Anonymization
Anonymization is an important security and privacy solution because it may help prevent original data from being reconstituted.
- Pseudonymization
Although pseudonymization techniques may vary, the solution can improve security. For example, one technique may involve separating data that directly identifies an individual from other non-identifying data. An identification key is then generated and stored in a separate and highly secure “safe”, to allow individuals to be re-identified. This approach may be recommended when a company outsources certain activities, for example when data is stored in the cloud or when a company uses Software as a Service.

Best practice regarding user consent
GDPR also requires broadcasters to obtain their users’ consent if they want to use their data in certain ways. Here are three examples of best practice in this area:
1) Classify your data
Broadcasters should classify which types of data are strictly necessary for performance of a contract, such as the customer’s payment details and delivery address in an online contract of sale. That data, provided that it is strictly used for the purpose for which it was first collected, does not require additional user consent.
2) Adopt active and granular opt-in
Consent must be separate from acceptance of the contract’s general terms and conditions, and consent should no longer be a prerequisite for forming a contract or signing up to a service.
The consent — or opt-in — process must now be active and explicit: boxes checked by default on physical contracts or online forms are likely no longer valid.
Consent must be granular, distinguishing between the various types of data processing.
3) Name your providers and provide other information
The broadcaster’s corporate name and the names of the service providers with which it exchanges personal data must be explicitly mentioned.
It should be easy for viewers to withdraw their consent to that exchange, and the procedure must be simple, effective and free of charge.
Broadcasters must provide the following information to their users:
• Who is collecting the data
• Which data is being collected
• The legitimate interest in using the data
• Who the data is being shared with
• The destination of the data if the country is outside the EU
• The period during which the data will be stored
• How to rectify data
• How to withdraw consent
• How to make a complaint to the authorities

Where data is processed for business intelligence purposes, broadcasters must describe the logic of the process being used and the decisions that it could entail for the user.

So GDPR imposes certain requirements on broadcasters, and non-compliance can lead to some fairly heavy penalties. But it’s not all bad news! GDPR also brings with it opportunities, as we will explain in our next post.