The General Data Protection Regulation (GDPR) has a significant impact on how data-focused OTT, Telcos and online content providers operate today. Anyone whose business serves EU customers, whether it’s based within or outside the EU, after 25th of May needs to abide the new rules.
Here is the list of essential topics service providers and TV operators need to follow:
Under GDRP law online identifiers such as IP addresses, cookies or device identifiers are considered personal data. In the TV industry, online indicators are generally used, and they administrate most forms of content personalization. This information is used for targeted advertising, for content recommendations in analytics and for the video delivery itself.
Where this legislation differs from the laws that applied before 25th of May 2018 that all non-personal data, when it is used in conjunction with other data, is also considered personal if it can identify information about an individual. (Ludo Rubin, “GDPR: The Implications for TV Service Providers“, Nov 2017)
Personal data can no longer be attributed to a specific data subject without the use of additional information. That information must be kept separately and must be thought of as an encryption key. It is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Although GDPR came into force in 2018, personal data collection must still follow the existing requirements first set out in 1995, the so-called Data Protection Directive, especially in being limited in time and purpose. Data integrity, accuracy, relevancy, and legally justified processing must all be ensured. (Intersoft Consulting, “Art. 4 GDPR Definitions”)
The legal justification of personal data processing is now stricter for OTT service providers. Under the GDPR, consent given by the customer is valid only if customers give it freely, based on clear and specific information for each processing operation needed. Besides that, OTT service providers must also guarantee additional rights for their customers, mainly the right to be forgotten and the right to data portability.
Furthermore, giving consent to the service provider customers must have the right to access their data and see what is being kept on them; additionally, the requests for personal information must be made entirely free of charge. (Ludo Rubin, “Five ways European Data Privacy regulations will disrupt Online Video and OTT Businesses“, June 2017)
OTT service providers have greater responsibility for data processing activities performed by third-party suppliers. OTT operators are required to obtain explicit consent from customers to collect and process personal data. Also, they must be ready to share some information with them about the logic involved in the processing and the significance and envisaged consequences of such algorithms.
Data Privacy is required as a standard core component of any application or any service from the very beginning. New business logic will need to support the up-to-date rights that are given to customers, and updated customer portals will be required.
As director Bart Willemsen, in one of Gartner researches said: “Organizations should acknowledge they don’t exist to process personal data, but they process personal data to do business. “Where there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too.” (Natasha Lomas , Techcrunch, “WTF is GDPR?“, Jan 20, 2018)
Contact Beenius representative for complete E2E solution and consultancy services today!