What should every marketing and communications professional know about EU's new General Data Protection Regulation (GDPR)? There is a ton of information available about this scorching hot topic right now. Getting a grasp of the massive information load – legal terminology and all – might be a challenge.
Fret not, my friend. After reading this article, you will know why you should care about GDPR, understand the main terminology and know exactly what you should do to prepare.
So let's get started.
What is GDPR all about?
GDPR (General Data Protection Regulation) will be enforced in all EU member states in May 2018. The regulation is aimed to harmonize EU's data protection practices and improve the privacy of EU citizens.
The regulation concerns all those organizations that collect, store and process personal data, whether it is a large listed company, a foundation, a small or an administrative organization. Because nearly all organizations maintain some sort of personal register (such as customer or member register), the regulation is applied at a very wide scope.
GDPR should be taken seriously because violations against it will result in a fine that is 20 million euros maximum or 4% of the organization's revenue from the previous year, depending on whichever is bigger.
The regulation comes into force on the 25th of May 2018. It also applies to companies located outside the EU if they store or process the personal data of EU citizens.
GDPR's basic terminology
Before we dive more deeply into the regulation's content, let's go through some terminology:
Personal data: All data that can be used to identify a natural person. This data can be a name, an address, a social security number, an email address and network identification data.
Personal data register: A structured filing system of personal data which are accessible according to specific criteria.
Data controller: A natural person, community, bureau, foundation or other that a register is created for to use and that has the right to determine the use of it.
Data processor: A natural person, government official, bureau or other that processes the register for the data controller, such as email marketing service provider.
Data subject: A person in the register that can be identified.
Opt-in: A person's given consent for collecting and processing their personal data.
GDPR brings rights, obligations and responsibilities
As GDPR takes effect, the data subjects' rights increase as data controllers' obligations and responsibilities grow. The regulation allows data subjects to ask for information about their personal data and its usage from organizations. They also have the right to ask for transferring and erasing of their personal data, as well as object to the processing of it.
The data controller has to make sure that they are able to deliver the requested data to the data subjects and also comply with the requests of erasing data. The data controller also needs to be able to demonstrate that they have lawful grounds to collect and process personal data. When processing personal data, the data controller needs to comply with the principles of article 5.
A few key elements of this new regulation are privacy by design and privacy by default. This means that an organization has the obligation to take data security issues into consideration when designing systems, services and practices if they are in any way linked to processing personal data (privacy by design). Organizations also need to ensure that they collect and process only the correct personal data (privacy by default).
Essentially, GDPR brings more transparency and security into the process of collecting and processing personal data. For example, previously the average Joe or Jane might have had to start rioting about violations against using their personal data. Now the data processors of personal data registers have to ensure and demonstrate that they comply with the data security regulation and maintain the security of personal data.
GDPR [checklist] – here's how to prepare for the data security regulation:
1. Know your role – are you data controller or data processor?
Make sure you know what your organization's role is in handling personal data: are you data controller, data processor or both? The role is key to what obligations and responsibilities you have.
2. Check the legality of processing personal data
- Map out what personal data your organization collects, how it is processed and in which systems it is located. Remember to consider any personal data processing that has been outsourced.
- Make sure that you process personal data according to the GDPR, and update your practices if needed. Check whether it's easy to follow these practices in all of the systems that personal data is being processed for you (email marketing tool, for example).
- Ensure that the people that are in your register have given their consent to collecting their personal data, or that there is some other legality criteria to process this data.
- If there is no lawfulness to process all the personal data that you store in your register, think whether you can obtain consents (opt-in). Be prepared to revise your practices and possibly forgo any personal data that is on the ”grey area”. Make note that in many EU countries the local legislation that will amplify and complement GDPR is not ready yet.
3. Consider the rights of a data subject
- Be prepared to provide data subjects information about their personal data and its storage in electronic format. This information should be provided in compact and easily understandable form.
- Make sure that the data subject can transfer their personal data or erase themselves completely from the register.
- If the personal data register is stored outside the EU, make sure that the data subjects have given their consents to transferring their data outside the EU.
4. Take care of data security
- Make sure that the data security of personal data has been taken care of accordingly and make a risk evaluation of all the plausible threats. Make a data security document of your company's data security practices, in which you answer to at least the following questions: how personal data is processed and on what grounds, how data security is ensured, what measures are taken during a possible data breach and who in the company handle personal data.
- Find out how your system providers have prepared for data security issues. Ask them to provide a written document that you can save for future use.
5. Update Privacy Policies and Terms and Conditions
- Add data security practices as part of your Terms and Conditions. Check your contract situation with customers, service providers, subcontractors and system providers. Note that the data processor can't handle personal data without a written agreement (or other legal document) with the data controller. This agreement needs to include all the information that the article 28 in GDPR states.
- Make sure that content in the agreements that concern the use and practices of personal data is in line with the data security legislation of the country in question. With separate data security agreements you ensure that all parties involved take care of the obligations and responsibilities that the data protection regulation brings.
6. Nominate a Data Protection Officer
Nominating a Data protection officer is mandatory if data processing is carried out by a government official or a public sector organization. This officer also needs to be nominated always when the core operations of a company include processing sensitive personal data or large personal data registers. More information about nominating a Data protection officer can be found in article 37 of the General Data Protection Regulation.
7. Train your staff
Offer training for the people in your staff that handle personal data so that they are up-to-date about the changes that the new regulation brings along.
What are the effects of GDPR on email marketing and marketing automation? Invite our digital marketing and communications experts over, and we'll tell you more about preparing for GDPR.
The article was originally published on the 2nd of November 2017.
The content should not be considered as legal advice.