The General Data Protection Regulation (GDPR) is a new European privacy law due to take effect on May 25, 2018. It’s a complex and evolving piece of legislation. It sets forth new rules governing how companies may collect, store, and use personal data pertaining to and/or originating from individuals in the EU. It doesn’t matter whether your organization has any presence in the EU, or where your applications and data are processed and stored. If your organization holds or controls any data about an EU citizen, then you need to start thinking about being compliant with GDPR … and the sooner, the better. What is “personal data”?
In the context of GDPR personal data refers to any and all information that can be used to identify an individual. This includes, but is not limited to, names, email addresses, job titles, location data, or even your own unique identifiers. It makes no difference whether we are discussing automated data collection or manual data, and it even covers pseudonymous, or key coded data if the pseudonym can be easily linked back to a specific individual.
So in effect if you collect any information that can be used to identify a specific individual then the GDPR applies to you, and what you do with that data.
What are some of the key changes to data privacy under GDPR?
- Penalties – companies found to be in breach of GDPR may be subject to penalties of up to the greater of 4% of annual global turnover and €20 million;
- Heightened Accountability Obligations – companies processing the personal data of persons in the EU need to ensure that they have documented a lawful basis for data processing activities, engage in ongoing record keeping of data processing activities, document their compliance with the principles set out in GDPR and notify relevant authorities of data breaches within 72 hours, and take additional steps to protect and secure personal data;
- Transparency – under the GDPR companies are required to clearly describe how they process and use personal data, with more detail including their data retention, anonymization, and deletion policies and practices. Companies will as a minimum need a privacy policy on their websites;
How does GDPR impact my business?
The GDPR focuses on informing individuals about how their data is being used and stored, or, data transparency. Whether you collect customers’ personal information through online forms, an e-commerce store, or otherwise, you will need to make sure that your policies and documentation support this transparency.
Email Marketing
If you collect customer email addresses in order to market your business, then you may have to change the way you go about it.
You will not be allowed to send marketing or sales information to any individual unless they have specifically stated that they are happy for you to do so. This essentially means that you will have needed to ask their permission. Collecting their email for different purposes and then marketing to them will be considered a breach.
A simple example of this in practice is that marketing preference checkboxes on online forms will need to default to unchecked. That way, it can be shown clearly that a conscious decision has been made on the part of the recipient. E-Commerce sites will no longer be able to collect the contact details of customers in order to send them marketing information just because they have bought there previously.
How do I prepare for the GDPR? How do I know if I am compliant?
To determine whether you process personal data as a data controller or a data processor, and to understand and assess your compliance with the GDPR, you can use the checklists and self-assessment tools available through the UK’s Information Commissioner’s Office here: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/.
You can read more about the key changes under the GDPR here: https://www.eugdpr.org/the-regulation.html
You can find a copy of the full text of the GDPR here: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.
In addition, you can find a step-by-step guide explaining the provisions of the GDPR and how to comply through the UK’s Information Commissioner’s Office here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
Disclaimer: The information presented on this website is for general information and discussion purposes only and may not be relied upon as legal advice. You should consult a licensed attorney before relying on the general information provided herein.
