With the enforcement date of the EU General Data Protection Regulation (GDPR) approaching, the topic is on everyone's lips. The regulation is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.
The EU regulation is the basis that each member state will have to follow. Each country can thus tighten their legislation accordingly but cannot loosen it. Some of the details and interpretations still remain unsure as harmonizing the national legislation of each country takes both time and effort. Yet there's a lot that we already know. We decided to write a series of blog posts to uncover the contents of the regulation and to offer you our best advice to prepare.
The regulation comes into force on the 25th of May 2018. It also applies to companies located outside the EU if they store or process the personal data of EU citizens. This means that the companies must get consents from the EU citizens whose personal data they store if they intend to store this data outside the EU.
Subject's right to access data
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Moreover, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
For the first time, people have the possibility to request personal data easily and cost free. It is thus more than likely that people will use their right more often.
In practice the right applies to any data that the data subject, himself, has given along the way. That is to say: a newsletter click or a filled contact form is in fact a piece of data that the subject has given himself. However, a CRM note written by your sales peep is not.
GDPR also introduces, with some exceptions, the data subject's right to transmit data and the right to be forgotten.
Begin with finding out what personal data is processed and where
Each data controller should prepare for the GDPR well in advance. When the first data request arrives, it shouldn't come as a surprise for the marketers.
Begin your preparations by finding out what personal data is processed and where. Once you've untangled the current situation you can, little by little, make sure the data is stored and processed appropriately, and delve into how and by whom data requests will be dealt with.
GDPR also applies to companies located outside of the EU, if they offer goods or services to, or monitor the behavior of EU citizens. The regulation in itself is all about security. Consequently, following the law and making sure your technology partners and software providers are up-to-date will become more important for marketers than ever before.
If you are partnering with an online software provider with no local offices or customer service centers, can you really make sure they store all personal data within the EU? What if your technology provider comes outside of the EU? Do you know for a fact that they will adjust the GDPR requirements accordingly?
Preparing for the GDPR has been a strong focus of ours for quite some time, and we keep a close eye on the development of the regulation. Here is how we are getting prepared:
- We are making updates to our software as we speak to ensure that the requirements of the new regulation are met well before it comes into force. We are developing our systems to support inquiries related to personal data and the right to become forgotten, so that our customers can effortlessly hand in, transfer and remove personal data. The systems are already saving all information related to the handling of personal data, and the data can easily be examined.
- Information security has always been of highest priority to us. Our employees regularly follow the information security announcements and we quickly react on any vulnerabilites.
- We are actively participating in GDPR seminars and constantly follow the development and adaptations of the regulation in different markets.
- Our data is stored and processed within the EU and always follows the local legislation.
- With GDPR, we have agreed on regular third-party information security audits. Liana Technologies was recenty granted CSA and FINCSC data security certificates. The certificates indicate reliability in email marketing practices and a high level of cyber security within the organization.
We promise our customers that both our technology and processes are in line with the GDPR. Moreover, we will keep you updated and provide you with more information as we move along. If you have any questions about the GDPR you may reach us at email@example.com.
The next part of our series will delve into the GDPR from an email marketer's point-of-view.