Blog GDPR in 2024: Your recap, six years on

GDPR in 2024: Your recap, six years on

May 2024 marks the 6th anniversary of the GDPR (European General Data Protection Regulation) coming into force. With so much development in the privacy space at the moment, it’s an ideal time for all businesses (inside and outside the EU) to revisit all things GDPR compliance and confirm that robust processes are in place to meet requirements.

Has the GDPR changed since May 2018?

It’s important to consider the GDPR as a dynamic framework. While its focus will always be protecting the privacy of European citizens online, it will adapt to the changing digital landscape to keep pace with developments in areas such as AI and third-party cookies.

You can find the full regulation here.

The questions that we should be asking ourselves regarding the GDPR haven’t changed. The standards of the GDPR remain high, and the non-compliance penalties significant. If anything, given that we’ve had six years to come to terms with this framework, we’ll have less of the leeway we might have expected on day one.

With the possibility of fines and legal action facing businesses not fully GDPR compliant, there’s no better time for a quick refresher and some peace of mind. GDPR applies to all of the data your business processes, whether processed directly or via a partner or third-party service provider. If you’re an Adjust client and we handle your business’s data (putting us in the role of third-party service provider), rest assured that our comprehensive privacy mechanisms meet GDPR requirements (more on this below).

Work through our checklist of questions to make sure every aspect of your business is GDPR compliant.

GDPR requirements checklist

The checklist

1. What kind of data are you storing?

The GDPR is concerned with the type of data being stored. Only data that is absolutely needed to provide the service to the full extent should be collected. The principle here is “data minimization” (Article 5(c), GDPR).

Ask your service provider exactly what personal data they’re storing, and why they need it. Ultimately, you’ll need to relay this information to potential users and give them the chance to opt-out of that type of tracking (more on that below).

2. Do you have a deletion policy, record of processing activities, and TOMs in place?

All these are required by articles 17, 30, and 32 of the GDPR. They include, for example, measures like:

  • Physical access control: Measures that deny unauthorized persons access to data processing systems that are used to process personal data.
  • Data access control: Measures that prevent unauthorized persons from using data processing systems.
  • Data usage control: Measures ensuring that persons authorized to use data processing systems can only access required data (according to their defined access authority), and that personal data can’t be read, copied, changed, or deleted by unauthorized persons during the processing, usage, and after storage of such data.
  • Separation rule: Measures that ensure that data that has been collected for different purposes can be kept separate during processing.
  • Pseudonymization: Replacing any personally identifiable information with a pseudonym.
  • Data transmission control: Measures that ensure personal data can’t be read, copied, changed or deleted by unauthorized persons during electronic transmission, during transport, or during the process of storing it on data storage media, and that it can be checked and asserted where the transmission of personal data through transmission systems is intended.
  • Entry control: Measures that facilitate the belated checking and asserting if personal data has been entered into, changed within, or deleted from data processing systems and if so by whom.
  • Availability control: Measures that ensure that personal data is protected against accidental damage or loss.
  • Rapid recoverability: Measures to ensure that personal data can be quickly recovered in the event of a physical or technical incident through an emergency management plan and regular recovery testing.
  • Data protection management: Name and contact address of the appointed data privacy officer.
  • Incident response management: Measures that are taken to respond ASAP to an incident.
  • Privacy-by-default settings: Default settings of the IT systems, to the extent that only the personal data required for the pursued purpose is processed.
  • Contractual control: Measures that ensure that the commissioned processing of personal data complies with the guidelines of the contracting party.

3. Do you offer your users an opt-out?

In general, marketers could argue with Article 6 (1f) of the GDPR. According to this article, the user’s consent is not needed to process their personal data if a legitimate interest is held. Direct marketing is considered to be a legitimate interest - you could assume therefore that online marketing should also count as a legitimate interest, especially in the era where everything happens online.

In any case, all users must be given the opportunity to opt out of being tracked and have any of their data stored in your databases deleted (the latter referring to the “right to be forgotten” rule enforced by Article 17, GDPR).

4. Do you have a security/privacy certification in line with GDPR in place, and not just a listing from a self-certifying body?

There are various privacy certifications and regulations; each means something different. Some providers might choose to get a self-certification badge to “show” they have data protection controls in place. Simply putting a certification badge on a website does not mean that providers are actually compliant with the applicable data protection laws. The GDPR is a binding set of regulations directly applicable in each EU member state.

Every service provider should have a European certification, and not just a listing with a self-certifying privacy body (like the US-Privacy Shield). Not all security badges are the same, and research needs to be done into what the badge really guarantees. Unfortunately a self-certifying badge means that no expert or legal counsel has audited whether a company is complying with applicable data protection laws.

Adjust is ePrivacy certified. This certification comes with a stringent legal and technical audit, ensuring that we follow the strictest EU data protection laws.

5. Do you request users and other parties to sign a data processing agreement with you?

According to Article 28 of the GDPR, it’s mandatory that every company working with any kind of user data and sharing it with a service provider is in the loop regarding data collection, transfer and use. At Adjust, we sign a data processing agreement with all our European clients as standard.

6. Do you have a data privacy officer?

A key stipulation of GDPR is that every company working with data must employ or assign a data privacy officer to oversee GDPR compliance (Article 37, GDPR). If you want to find out more about Adjust’s data protection mechanisms, check out our Privacy Policy. If you have any questions, feel free to reach out to us here.

7. Where are your servers or cloud services located?

One big implication of the GDPR is the question around where storage is located. The essentials of the rule here are simple: if you’re storing personal data on residents of the European Union, then those servers should be located in Europe.

This means that the data itself should not be sent to servers outside of the EU (to the US, for example). Cloud services are affected too, and must have hardware somewhere in Europe in order to store data on European citizens.

Adjust’s servers on the ground for our European clients are physically located in Europe - in Frankfurt and Amsterdam. We’re also the only MMP to offer explicit data residency, meaning your data can be stored and processed in a specific, defined location, ensuring compliance and transparency.

As the privacy space continues to evolve, Adjust remains at the forefront of every nuance and change. Learn, for example, how Adjust is supporting client implementation of consent parameters to align with Google’s interpretation of the Digital Markets Act (DMA) .

Ready to see Adjust for yourself? Request a demo.

Be the first to know. Subscribe for monthly app insights.