One of the most seismic changes to affect the digital industries of the internet age will happen on May 25, 2018 when the EU’s controversial General Data Protection Regulation (GDPR) will finally come into force.
No one can say that they weren’t warned — the proposal for the GDPR was first released in January 2012 — but the implications are still not understood for many industries, and broadcast is amongst them.
Since 2012 the Big Data revolution has really taken hold in the industry, with many business models and practices becoming increasingly data-driven. Successful online video and OTT operations are considered to be dependent on data. As a result the GDPR will have a significant impact on how data-focused OTT, Telcos and online content providers will operate. Indeed, anyone whose business serves EU customers, whether it’s based within or outside the EU, will have to abide by the new rules.
The penalties for not complying will be severe. As Wired puts it, “If an organization doesn't process an individual's data in the correct way, it can be fined. If it requires and doesn't have a data protection officer, it can be fined. If there's a security breach, it can be fined.”
And those fines are not going to be a slap on the wrist either. Minor offences will result in fines of up to €10 million or 2% of global turnover, whichever is the greater. Serious offences are double those amounts, up to €20 million or 4%.
It is complex legislation that has been drawn up since 2012 with many different vested interests trying to steer the regulations first one way and then the other. Indeed, a whole industry has sprung up to interpret some of the finer points of the legislation, the implementation of which will no doubt keep the courts as busy as the regulators over the next few years.
You can access all of its 99 articles here if you want to read them for yourself, but a fair summation of what Europe has ended up with is that any organization that collects personal data on people will be accountable for the way that data is used.
GDPR for TV Service Providers: five things you need to know
Here are the five most important points in the new regulation for TV Service Providers:
1. Online identifiers such as IP addresses, cookies or device identifiers are now considered personal data
Online indicators are commonly used in the industry and govern most forms of content personalization and more. They are used for targeted advertising, for content recommandations in analytics (though this data can often be anonymized already) and for the video delivery itself.
Where this legislation differs and is much stricter than before is that non-personal data, when it is used in conjunction with other data, is also considered personal if it can identify information about an individual.
Meanwhile, it is providing incentives for the adoption of pseudonymization.
In contrast to anonymization, which is where personal data is entirely wiped out and cannot be reverse-engineered in any manner so that individuals can be identified (although this is not always effective), pseudonymization can best be thought of as a type of partial encryption technique. Personal data can no longer be attributed to a specific data subject without the use of additional information, and that information is kept separately and can be thought of as an encryption key. It is, in the EU’s words, subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
It’s a useful workaround that enhances security, allows much freer use of data under the workings of the GDPR, and makes many of the strictures of the legislation easier to work with. For example, the requirements for data breach notifications are much more relaxed with pseudonymized data.
Meanwhile, personal data collection must still follow the existing requirements first set out in the 1995 Data Protection Directive, especially in being limited in time and purpose. Data integrity, accuracy, relevancy, and legally justified processing must all be ensured and OTT service providers will be held accountable for demonstrating compliance with these principles.
Interested in protecting expensive content? Look no further for top-quality content protection solutions.
2. The legal justification of personal data processing is now stricter for OTT service providers
OTT providers are, in the phrasing of the new legislation, ‘data controllers’, an entity that decides the purpose and manner in which data will be used, and as such they have responsibilities.
One of the key areas here involves consent. Under the GDPR, consent given by the customer is valid only if customers give it freely, based on clear and specific information for each processing operation needed. Under the old rulings such operations could be bundled together; that is no longer the case.
OTT service providers must also guarantee additional rights for their customers, mainly the right to be forgotten and the right to data portability, in that their data can be transmitted from one controller to another wherever this is technically feasible. Indeed, the wording here goes so far as to suggest that: “Data controllers should be encouraged to develop interoperable formats that enable data portability.”
Customers also have more rights to access their data and see what is being kept on them. Currently this involves a Subject Access Request and allows businesses to charge a nominal fee for access. This has historically limited the amount of requests made. The GDPR scraps this entirely and introduces a new framework where requests for personal information can be made entirely free of charge. Businesses will then have one month to comply.
Any Data Controller with over 250 employees is going to have to provide documentation describing what information is being collected on customers and why, and how it is secured. On top of that, organizations that feature what the GDPR refers to as "regular and systematic monitoring" of individuals will be obliged to employ a data protection officer who reports to senior members of staff and acts as first point of contact for data issues both internally and externally.
3. OTT service providers have greater responsibility over data processing activities performed by third party suppliers
‘Data Processors’ are effectively anyone or anything that processes personal data on behalf of the controllers, and this is one part of the legislation that is going to add a great deal of complexity to any outsourcing arrangements that OTT providers might have entered into. That affects cloud TV platform providers, IaaS providers such as Amazon AWS, Microsoft Azure, or Google Cloud; or any sub-contractor that is processing data, such as a marketing agency.
The arrangements for cloud-based services in particular are going to have to be looked at carefully here, and the upshot may well be a negative impact on OTT service costs. This is especially pertinent when added to the fact that controllers and processor(s) must now support higher liability risks of GDPR non-compliance.
Happily, after an initial slow reaction, the big cloud players have started to embrace the GDPR; Google assuring that Google Cloud platform will be fully compliant, Amazon pledging to be fully compliant for all its AWS services, and Microsoft declaring that Azure and many of its other cloud services will comply too. Given the size of these companies and the nature of their business this was perhaps expected, but there are many other third parties integral to the overall success of the OTT industry where this is not the case, especially in the marketing space.
4. Artificial Intelligence-based applications are now under greater scrutiny
AI and Machine Learning are boom areas in the industry at the moment, with TV Service Providers using AI-based applications for an increasing amount of processes including fraud management, personalized content recommendations, personalized marketing offers and programmatic advertising.
However, just as it leans more heavily on AI processes involving leveraging customer data, so the GDPR looks set to demand additional controls.
In particular it wants to guarantee transparency and equal rights when algorithms operate. As a result, OTT operators will be required to obtain explicit consent from customers to collect and process personal data. In addition, they must be ready to share some information with them about the logic involved in the processing and the significance and envisaged consequences of such algorithms.
This could have a significant impact on many AI apps with strong requirements for non-discriminatory data selection. It will also impacts the interpretability of such algorithms before and after execution — one of the important criteria about the explanation given is that it must be human-friendly. Self-learning algorithms, such as those found in Deep Learning, might be the most at risk as they process new data and existing results without any human intervention, making them opaque. Again pseudonymization might be able to help here, but in truth it is probably not going to be suitable for all applications.
Learn more about the effect of AI on TV services.
5. Data Privacy is required as a standard core component of any application or any service from the very beginning
One of the main drives behind the GDPR is that it changes the way that industries perceive the ownership of data. It is no longer something that can simply be scooped up and harvested like krill from the ocean, but something that has an owner who grants consent for it to be used. And that owner has rights.
From May 25, 2018 onwards, any service or product must take data protection risks into account from the design phase through its entire life cycle. This is ‘Data Protection by Design’. In addition the GDPR champions the concept of ‘Data Protection by default’, i.e., data collection must be set by default in a manner that only the minimum personal data is collected and lawfully processed.
For the broadcast industry this has far-reaching implications, as it will have a significant impact on software functionalities, architectures and development processes for any OTT service component.
New data and security infrastructure will have to enable pseudonymization; new business logic will need to support the up-to-date rights that are given to customers, and updated customer portals will be required.
To make sure all this happens smoothly, internal training, product and process documentation and extensive audits (data mapping, gap analysis, and impact assessments) will all need to be finalized by the date that the GDPR goes live. Given the fact that this does not only impact Data Controllers but the growing web of third-party Data Processors that the industry uses as well, this is a challenge probably best described as considerable.
GDPR for Broadcasters - The Conclusion
The GDPR is a far-reaching bill that will have a major impact on the way that many businesses operate. Given the nature of the way that industry has evolved to use data in an increasingly sophisticated manner over the course of the last decade, it is important to acknowledge that in no sense is this shutting the stable door after the horse has bolted. More, it’s a case of capturing the horse, bringing it back, and building a new and better stable with doors that only open in very specific, controlled manners.
The five considerations above are only the start of it as well, as there are plenty of other provisions in the GDPR that will have an impact all in themselves.
For instance, in the case of a data breach, companies only have a 72 hour-period to notify the relevant enforcing authorities and the individual subjects whose data has been stolen.
The simple message is that OTT service providers have to pick up the pace to set new processes, technologies and legal procedures in order to be ready on time. As recently as May this year, Gartner estimated that 50% of the companies affected by GDPR will not be in full compliance by the end of 2018.
And it is important to recognise the opportunity that GDPR brings to broadcasters. While it has been designed to guarantee transparency and trust between individuals and corporate entities, OTT service providers, broadcasters, and their suppliers can all take the opportunity of GDPR to innovate and differentiate. It can be our industry that develops and deploys new best practises, and becomes truly transparent in the way that it uses data.
In this way we can become trusted partners to our customers, and, once the GDPR simultaneously lifts the veil on the extent of data processing and gives data subjects the power over how their data is used, that trust is going to be an important consideration for many businesses.
Sections of this article initially appeared on KNect 365 Media + Networks
Images from: istock.com