The General Data Protection Regulation (GDPR) comes into force across the EU on May 25th 2018. The intention is to “create a landscape of consistency”, providing individuals with more control over how organisations use their personal data and enhancing privacy as a human right.
As deadline day draws nearer, it's vital to ensure that you are fully informed and prepared for compliance. So here's a reminder of the important changes, what effect they will have and some unavoidable actions that we all must take.
But how will GDPR affect your organisation?
To help you to make sense of it all, we’ve compiled a guide to summarise the major changes and implications, some checks you might want to undertake and some tips for the future. For a more comprehensive overview, read our eBook ‘Guide to GDPR’.
The key updates to legislation are:
- Wider Geographic Scope: even companies outside of the EU are obliged to comply with the new ruling, should they wish to provide services in Europe.
- Stronger Individual Rights: whilst only a few rights are absolute, individuals now have more control and more opportunity to dictate how we use their personal data.
- Obligatory Accountability: all organisations are now obliged to document, and to be able to demonstrate exact instances of, consent and details of data processing.
- Unambiguous Consent: say goodbye to pre-ticked boxes and convoluted jargon, consent must be clear and affirmative.
- Mandatory Breach Notification: unfortunately, security breaches are increasingly common nowadays. Should a breach occur, organisations must notify all relevant parties within 72 hours.
- Higher Fines: failing to comply with the GDPR can incur some serious penalties. At the highest, fines can be €20m or 4% of group annual turnover.
- Privacy by Design: the new default should promote privacy and security for individuals and organisations alike.
To be sure that your company is compliant, it’s first important to know exactly what definitions these new rules are pointing to.
Personal Data
The GDPR is primarily concerned with “Personal Data”; this is any information relating to an identifiable natural, living person. Importantly, data needn’t include someone’s name to be considered “personal”. If it’s possible that an organisation could access and cross-reference information that could reasonably lead to identification, then each piece of that data is deemed “personal”.
Which leads to the next key definition: the distinction between ‘anonymisation’ and ‘pseudonymisation’. If data is anonymised, it has been irreversibly altered to destroy all possibility of identification; as such, anonymised data does not fall under GDPR. On the other hand, pseudonymised data correlates seemingly abstract entries to specific individuals. Pseudonymised data is still personal data.
Special Category Personal Data requires further security measures. Any data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric information, or details concerning a person’s health, sex life or sexual orientation, can only be processed under certain, specific conditions. Outside of legal proceedings or the interests of public safety, any organisation planning to deal with special category data must acquire explicit consent.
Consent
Consent is the central crux of the GDPR. For consent to comply with GDPR, it requires a clear affirmative action on the part of the individual. What’s more, the organisation must document and be able to produce proof of:- Who consented.
- When they consented (using time-stamped documents).
- What information they were given, at the time.
- How they consented (written/ verbal).
- Whether they have withdrawn their consent, and when.
Data Controllers and Processors
Once an individual consents to sharing their personal information, it passes into the hands of a Data Controller and a Data Processor. A Data Controller exercises exclusive control over the data, deciding which information is necessary and what it is used for. A Data Processor is subject to fewer obligations, as they handle personal data on behalf of a controller. However, in the absence of a prescriptive agreement, a processor can define methods for storing, transferring, retrieving and deleting data. Importantly, BOTH parties are responsible for the security of the data and liable in the instance of a breach.
Preparing for GDPR
We’re sure that you’ve been preparing for the upcoming changes already, but as we near the deadline, check that you have taken the following steps to avoid those hefty fines:
- Data Cleansing: be sure that legacy data is updated or cleared. You don’t want to risk processing prohibited data or sending unsolicited emails to individuals who haven’t consented.
- Asking for Consent, Again: it’s likely that pre-existing consent or subscriptions will not be specific enough. For those individuals whose data you store and process, be sure to get up-to-date, clear and categorised consent; and make sure it’s documented!
- Working Collaboratively: although some companies may need to appoint a dedicated Data Protection Officer, it’s important to work together to ensure that all parties are compliant. GDPR will affect employees beyond the marketing department, and even third party contractors, so share the resources to reduce the risk of sharing liability.
Ensure that you are fully prepared before the 25th of May, by clicking through to our in-depth 'Guide to GDPR'. Inside you will find:
- Further definitions, regarding Individual's Rights, Consent and Legitimate Interests.
- Details to include when updating consent forms and Privacy Policies.
- Checklist of practical actions and key considerations for compliance.
- Best practices for the future, continuing GDPR after deadline day.
Compliance is vital and unavoidable, so, if you are in any doubt, be sure to seek advice and further research.
(Title image sourced via Flickr.)