The EU General Data Protection Regulation (GDPR) is a new, comprehensive data protection law that updates the EU’s existing data protection regime to strengthen the protection of EU residents’ personal data in light of rapid technological developments, increased globalization, and more complex, international data flows. It replaces the patchwork of national data protection laws currently in place with a single set of rules, which will help harmonize data protection law across the EU (and the European Economic Area (EEA)) by removing the need for national implementation.
The GDPR, which was adopted in 2016 and went into force on May 25, 2018, applies to organizations established both in and outside the EU that process EU residents’ personal data.
For more information about the GDPR, please visit the European Commission’s GDPR webpage.
Following the formal adoption of the GDPR in April 2016, Nielsen assembled a cross-functional GDPR team composed of Nielsen’s Chief Privacy Officer, EU Data Protection Officer, Legal Privacy team, and senior representatives from Nielsen’s Data Security, Engineering, Process Improvement and Technology teams.
As part of Nielsen’s ongoing commitment to transparency, accountability and the responsible stewardship of the personal data that we handle, our GDPR team has focused on identifying and addressing GDPR readiness priorities across Nielsen’s diverse products and businesses. To accomplish this, the team developed and managed various work streams across all of Nielsen’s business lines.
Some of the specific steps we have taken to prepare for the GDPR include:
Assessing our data processing activities to ensure that data protection is “baked in” to our products and services
Documenting our data processing activities and data flows
Updating our privacy notices to meet the GDPR’s transparency requirements
Implementing processes to give effect to the new and broader rights of data subjects under the GDPR (i.e., the “right to be forgotten” and right of data portability)
Reviewing and updating our vendor/supplier agreements to ensure that personal data is adequately protected
Enhancing our internal incident response and escalation processes
While the GDPR expands the definition of “personal data” to include location data and unique identifiers associated with a browser or device, this change does not materially impact Nielsen or result in many additional compliance obligations for our organization. It has been a long-standing practice at Nielsen to design our products and services according to the principle of Privacy by Design, and embed other relevant data protection principles like data minimization, use limitation, and data security into their design.
EU data protection law requires organizations to have a lawful basis for all of their data processing activities. Under the GDPR, there are multiple grounds to justify the processing of EU personal data, each of which has the same legal effect.
The basis on which Nielsen processes EU personal data depends on the nature of the processing and our relationship with the relevant data subject. The majority of our data processing is based on: (a) a contract made with or on behalf of a data subject; (b) Nielsen’s “legitimate interests;” or (c) the valid consent of a data subject.
With respect to our digital and mobile measurement products/services, Nielsen acts as a data processor and, as such, processes personal data on the basis established by the data controller (e.g., the publisher, media agency or advertiser). Where we offer ad enablement services, Nielsen acts as a data controller and is responsible for ensuring that there is a lawful basis for the processing.
We are closely following the ongoing conversation about the interplay between the ePrivacy Directive and the GDPR (i.e., the need to obtain consent for the placement of cookies and use of other similar technologies under the ePrivacy Directive and the requirement to have a lawful basis for processing personal data under the GDPR). Additionally, we are evaluating how we might leverage the consent frameworks that have been proposed or announced by different actors, including IAB Europe and Google.
Where appropriate, we have and will continue to review and update our existing vendor/supplier agreements. We will also continue to enhance our vendor/supplier management activities, which are designed to ensure that appropriate assessments are conducted and Nielsen vendors/suppliers comply with applicable data protection and privacy laws, including the GDPR.
Nielsen has implemented inter-affiliate data processing agreements, including EU Standard Contractual Clauses (SCCs), to facilitate transfers between Nielsen entities globally. Nielsen also relies on SCCs to legitimize transfers of personal data to parties outside the EEA.
Nielsen is committed to protecting the security of all personal data in its possession. We adhere to internationally recognized privacy principles and protect Nielsen’s data, systems and networks from internal and external cyber security threats by implementing leading-edge security technologies and industry best practices and procedures in security planning, implementation, management and operations.
Nielsen has established incident response processes and procedures, which are designed to ensure that data security incidents are promptly detected, investigated, remediated and documented.
In the event of a confirmed security incident, we analyze the facts to determine whether notification to the impacted individual(s) and other parties (e.g., regulators) is appropriate. We also comply with applicable laws that require notification about data security incidents, including the GDPR, and we provide notification in a timely manner, when necessary.
Nielsen has processes in place to respond to requests from data subjects to exercise their rights under applicable data protection and privacy laws, including the rights of access, portability and erasure. We’ve enhanced our internal systems and associated processes to ensure that we can give effect to the new and broader rights of data subjects under the GDPR.
For example, we have implemented processes and procedures that are designed to ensure that we can effectively respond to the broader right to erasure available to data subjects under the GDPR. With respect to the personal data of a Nielsen panelist, following receipt of a valid erasure request, we anonymize the panelist’s data so that he or she no longer can be identified from the data that we hold. Additionally, where our digital and mobile products reach the public, individuals have the option to decline our processing of their data by downloading an “opt-out” cookie, deleting the cookies that we use (browsers) or resetting their device advertising identifiers (mobile).
Nielsen appointed an EU DPO in 2017, who is tasked with ensuring Nielsen’s ongoing compliance with its obligations under EU data protection law.