EU’s GDPR – Things Publishers Need to Know


Data is an increasingly important tool for any business in 21st century, it helps us understand the market and improve our processes and enhances decisions making. Possession of the right kind of data and our ability to act on it has a lot to do with success or failure of any business. European Union is implementing the General Data Protection Regulation or GDPR on May 25th 2018, it concerns with data protection and privacy for all individuals within the European Union. This new law will alter the familiar terrain for businesses, and it doesn’t only affect the businesses in Europe but any organization from any country that has personal information on people from the region and sells products or services there. The EU’s share in the world economy is just shy of a quarter and any business who has or wants to cross the borders can’t just ignore Europe, eventually.

Changes on the Ground

The aim of the GDPR is to protect all EU citizens from invasion of privacy and data breaches, amidst the changing nature of technologies, businesses and consumer behavior. The seemingly most impactful change in the law concerns ‘consent’. Read the full text about the key changes in the GDPR website

With the new law, consent for any sort of information has to be asked for in a clear, intelligible and accessible manner, not in a vague and lengthy text full of legalese. It should encourage the end user to read the request for permission.  

Key changes listed in the website

Increased Territorial Scope

Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.


Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.


The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Recital 32 of the GDPR mentions that​ ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent’

Breach Notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.

Right to Access

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.

What constitutes personal data?

As per GDPR website, any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Right to be Forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

Data Portability

GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Privacy by Design

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Data Protection Officers (DPO)

Under the new law there will be internal record keeping requirements, and DPO appointment will be mandatory ‘for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences’. The DPO must have a high level of independence and they can only be fired by the board. EU has signaled that for smaller companies outsourcing DPOs is acceptable. The criteria for DPO appointment are listed in the website

GDPR and the Publishing Industry

Publishing business heavily relies on consumer data, we need demographic data to reach out to new markets, (retailers) need data to glean on reader interaction and get insight on what products consumers are looking for, and we need data to make numerous business decisions every day. For those in the business, data is a tool but for individuals data is personal; who has my personal information, who will they pass it on to, what do they do with it is a matter of concern. The new law means to protect the privacy of the people and seek consent from them to get hands on any information about them, how this will affect the publishers who rely on data might not be very clear at this stage, but there is no need to panic. Certainly we have to be aware of how GDPR is going to affect our data collection, storage, and usage, and decide on where to draw the line.

We shouldn’t panic because when a law is passed it’s for everybody. Besides, any data that is collected by consent is more powerful, the thought that GDPR can hamper business could turn out to be a misapprehension. The bright side of GDPR compliance gives us an opportunity to put a revamped focus on data – to update it, to streamline it and see which part of it is usable and what part to get rid of (note: possessing information that was taken without consent violates the upcoming law). In the long run this revamped strategy on data will only have positive effect on the business, whereas non-compliance could bring financial or reputational damage.

Things to do right away

If a publishing house or a retailer is based in EU or has business there, changes need to be made to the method of data collection and processing, and think of what to be done of the existing data, some of us might need legal consultation from experts and that could be a process that takes time and resource. The least we can do right away is make quick possible alterations to the way we gather data. Those quick changes could be like getting rid of the pre-ticked boxes, revamping web forms and landing pages with more text and tick boxes. But on the plus side, collecting data is totally fine — just so long as you have explicit consent for every little data point in question.

 that helps create engaging, personalized experiences. EU’s GDPR might just be the beginning, the wave will catch up with other economies, and spread across the globe, it’s wise to have lasting strategies in place. For an unhindered operation it behooves all businesses that possess information on consumers to have streamlined, compliant and future proof data strategy.