May, 25, 2018 was a turning point for data protection in the European Union, as General Data Protection Regulation took effect repealing the Data Protection Directive 95/46/ec which had come into force in 1995. According to the new regulation, businesses and organisations — even those that are based outside the European Union — that collect data of the EU citizens will have to comply with new rules protecting customer data.
The new regulation makes data protection rules identical across the European Union.
Why is GDPR introduced?
The main reason why the new regulation is introduced is to align the existing legislation with the ways the data is used. We all remember a number of scandals, e.g. the Facebook and Cambridge Analytica case, when millions of people were affected. In fact, huge corporations, like Google, Amazon and Facebook — and smaller organizations too, of course — collect a lot of user data providing users with their services in return. And the Data Protection Act 1998 had been in force before the internet became widely used and cloud-based services were even invented. So, to protect the EU citizens’ data and make its use more transparent, the new regulation was enacted.
Who is affected?
The regulation affects any company that operates in the European Union. This includes organizations that operate outside the EU, but offer services and goods to customers in the EU as well. This means that if your organization studies consumer behavior of the EU citizens or you have mailing lists for newsletters or promotions containing data of people living in the EU, then GDPR applies to you too.
There are two main types of companies that will be affected by the regulation:
- ‘Processors’ of data. These are the companies that process the data, i.e. various IT companies
- ‘Controllers’ of data. Companies of this type define how and why personal data is processed and collect this data. They belong to a wide range of organizations from e-commerce companies to charities and government organizations.
What is personal data protected by the GDPR?
Personal data includes name, phone number, email, interests and any other type of information that is collected by sales managers in any possible way — online or offline. It also includes things like IP addresses, location details, social media profiles and posts, bank account details, medical information. To put it simply, it is any information that can be collected about an individual and can be associated with them.
Nine rights for individuals under the GDPR
According to the GDPR, individuals are provided with 9 fundamental rights that influence the way their data is collected and processed:
- The right to be informed
Individuals whose data is gathered must be informed about the gathering in an explicit way — the notice must be transparent, intelligible, easily accessible and explain how the data will be used.
- The right of access
This means that individuals have the right to access the collected information after it is gathered and processed. They also have the right to know how it is processed. The organization must provide a copy of the data in the requested format.
- The right of rectification
According to this, individuals are entitled to to have their data rectified if it is not accurate or complete.
- The right to be forgotten
Individuals have the right to request deletion of their data without the need to state the specific reason why they want their data to be deleted. This normally occurs when the individual is no longer customer and there is no more reason to keep the data and continue processing it. Third parties that were sent the data to should also be informed that the data is being erased.
- The right to restrict processing
Individuals have a right to ‘block’ or restrict processing of their personal data. Third parties must be also informed about the restriction.
- The right for data portability
Individuals have a right to transfer their personal data to other controllers (service providers) or to obtain and reuse the data for their own purposes. The data must be provided within one month and free of charge in a machine-readable format.
- The right to object
According to this right, individuals are entitled to stop the processing of their personal data for direct marketing, scientific/historical research and statistics. Processing of the data must be stopped immediately as soon as the request is received. This right must be made clear to individuals right at the start of communication.
- The right to object to automated processing of personal data
Individuals can object to automated processing of their personal data and automated decision making regarding their cases, etc.. This right was introduced to protect individuals against the risk of potentially damaging decisions that might be taken without human intervention. The right doesn’t apply to cases when automated decision is made based on explicit consent or authorized by law.
- The right to be notified in case of a data breach
Individuals have a right to be informed in case there has been a data breach which compromises their personal data. The individuals must be notified within 72 hours of having become aware of the breach.
It is vital to organize collecting and processing of personal data at an organization in a way that respects these rights to comply with GDPR.
What if my company does not comply
A company or organization that doesn’t comply with the new regulation should expect a fine of up to 20 million Euro, or 4% of global annual turnover — whatever is bigger. For lesser offences, the fine will be twice as small — €10 million, or up to 2 percent of the offending organization’s annual revenue — whichever is greater.
What steps must be taken?
To achieve compliance with the regulation, it is necessary to do a considerable amount of work — if you haven’t yet sorted out where data comes from to your company, where it goes and how it is stored, then it’s the right time to use the `silver lining` of GDPR.
So, first off, it is necessary to appoint a data protection officer who will be in charge of GDPR compliance at your company. Secondly, your should review business processes and marketing and sales activities keeping in mind that an individual has a right to withdraw consent any time — and consent will be valid only in case each activity has a separate consent.
After you have mapped where the data comes from, what you do with it, who can access it and if there are risks to it, decide on what data you want to keep, erase and archive. Don’t forget to check your infrastructure to ensure you are protected against data breaches and establish processes regarding notification of stakeholders in case of data breach. You should also review your privacy statements and disclosures to adjust them, as well as establish procedures for handling personal data — take into account as many scenarios as possible.
Being transparent in what concerns personal data handling is important not only as a matter of compliance with GDPR, but also from the point of view of fair relationships with the customers. Although GDPR is a challenging regulation, it can be treated as a perfect chance to put things in order in what concerns collection and processing of personal data at your company.
Disclaimer: content of this blog post is intended for information purposes only and should not be considered legal advice.