Fine for Affiliate Marketing to Ignore GDPR? – By Micky Khanna

by Jenae Reid on October 9, 2017


As the arrival of the GDPR (General Data Protection Regulation) draws ever closer, there still seems to be uncertainty as to what GDPR means for affiliate marketing, and whether this applies to companies outside the EU.FeedFront issue 40 cover

One thing does seem certain: whether you’re a publisher, merchant, network/technology platform/solution provider, if your business controls, stores, or processes Personally Identifiable Information (PII) on any EU citizen (employees, customers, or suppliers), then – even if your business isn’t located within the EU – it’s highly likely that from May 25, 2018, the General Data Protection Regulation and its seven principles applies to you.

The fines (per the media) of up to €20m or 4% of gross annual turnover (whichever is the greater) should provide sufficient warning. However, even if those found guilty of non-compliance or negligence don’t receive a fine, it would be foolish to assume that your business won’t feel the financial impact.

Think about the negative publicity/PR, which then leads to the loss of customers and revenue. Then there are the shareholders, who will demand answers as to why preventative measures were not in place, despite the vast media coverage and warnings beforehand.

This undoubtedly brings into question the position of the CEO (the seventh principle of GDPR is accountability for the other six – Legality Transparency & Fairness, Minimisation, Portability, Accuracy, Storage, and Integrity).

Prevention is Better than Cure – Act Today

If you control, process, or transfer PII, then you need to raise Awareness of the GDPR across your company now.

Review and assess the Confidentiality, Integrity, and Availability of data that you hold. Are you holding more information than necessary?

What legal basis do you have for processing personal data? Can you prove that you obtained explicit consent, and that they are of the legal adult age or not?

Think about how data is stored or transferred across your business or different territories. Have you reviewed your cloud/service providers’ agreements? How would you handle a “Subject Access Request”, and how can you ensure complete removal of personal data (if requested)?

Do you have a plan of action should a Data Breach occur (for example by carrying out Data Privacy Impact Assessments or a Risk Analysis of your software/hardware)?

Think about the way you Communicate Privacy Information. The appointment of a Data Protection Officer is mandatory if you employ over 250 staff, or if you control or process large amounts of data (or if you’re a public authority). Yes – there are exceptions in certain cases (but I only have 500 words so will have to save for another day). Applying a “Data Protection by Design” approach from the top-down sends a message both internally and externally that your company takes the security and privacy of its data seriously.

Don’t risk it by ignoring GDPR. After all, reputation, in an industry that is regularly under the spotlight, is key. If you’re found guilty of non-compliance or negligence, then what will your clients and business partners think about how you think about theirs?


Micky Khanna is an independent GDPR Practitioner, previously holding roles at MIVA, and

This article appeared in issue 40 of FeedFront Magazine, which was published in October 2017.


Comments on this entry are closed.