The General Data Protection Regulation will come into effect on May 25 at which time organizations must be compliant.
Here are key aspects of such important regulation and what you need to know about GDPR if you work in marketing and public relations.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is one of the most important data privacy regulations in 20 years and it was approved by the EU Parliament in April 2016.
The objectives of GDPR are to:
harmonize data privacy laws across Europe;
reshape the way organizations approach data privacy;
give control back to citizens and residents over their personal data.
When does GDPR apply?
GDPR applies if a data controller, processor or the data subject are based in the European Union.
Valid consent must be explicit for data collected and the purposes data is used for.
To demonstrate compliance with GDPR, a data controller should implement measures which meet the principles of data protection by design and data protection by default.
What is consent for GDPR?
The conditions for consent have been strengthened by the new European regulation.
companies are no longer able to use long illegible terms and conditions;
request for consent must be given in an intelligible and easily accessible form;
the purpose for data processing must attached to consent.
Explicit consent is required for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. Unambiguous consent is sufficient for non-sensitive data.
GDPR defines personal data as any information relating to an individual, whether it relates to his or her private, professional or public life.
Anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or an IP address can be considered personal data.
What is the difference between data protection by design & by default?
Article 25 of GDPR states that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures, [...] which are designed to implement data protection principles”.
The regulation further explains the differences between data protection by design and by default as follows.
1. Data protection by design
Systems and technology should be designed in such a way to ensure that:
(i) data processing is limited to what is necessary for the purpose for which the data was collected; and,
(ii) only those within an organisation who need to access the personal data can do so.
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
2. Data protection by default
Companies must design technology with data protection at the core, and ensuring restricted access to the data.
Who are the main GDPR subjects?
A data processors is an entity which processes personal data on behalf of the controller.
A data controller is an entity that determines purposes, conditions and means of the processing of personal data
A data subject is any person based in the European Union.
What subject rights does GDPR protect?
GDPR protects four types of rights. Namely:
a. Breach Notification
this right is mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”;
breach notification must be provided within 72 hours of first having become aware of the breach;
data processors will be required to notify their customers, controllers, “without undue delay” after first becoming aware of a data breach.
b. Right to Access
This is the right to obtain from a data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. A data controller shall provide a copy of the personal data, free of charge, in an electronic format.
c. Right to be Forgotten (or Data Erasure)
This entitles to have the data controller erase personal data, cease further data dissemination, and potentially have third parties halt processing of data.
Conditions for erasure include data no longer relevant to original purposes for processing, or a data subjects withdrawing consent.
d. Data Portability
This is the right for a data subject to receive personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
What are the penalties for not being compliant with GDPR?
Organisations can be fined up to 4% of their annual global turnover for breaching GDPR or €20 Million.
This is the maximum fine that can be imposed for the most serious infringements, for example not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
What is the relationship between GDPR and Brexit?
Outside the UK
If your organisation processes data to sell goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit.
In the UK
If activities are limited to the UK, then the position is less clear.
The UK Government is likely to implement an equivalent legal mechanism as both the Information Commissioner’s Officer (ICO) and UK Government have previously supported GDPR.
What can you do to be complaint with GDPR before the deadline?
Your marketing and communications teams can work with your legal department on:
ensuring your CRM is up to date and compliant;
you have a plan in place on data acquisition, data storage and data storage that is compliant with GDPR;
you provide clear opt-in marketing options when collecting customers' and prospects' data.