Updated: A Marketer's Guide to the New European Data Regulation (GDPR)
The new European General Data Protection Regulation (GDPR) has been published in the official journal and will pass into law in less than 2 years.
Brexit WILL NOT make British companies exempt from GDPR; the Regulation will require all companies, regardless of location, to protect the privacy of any data they collect, store or process that relates to a resident of the EU.
“GDPR is a paradigm change in the way that data collection and use is regulated. We have moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world,” - Ross McKean, partner at law firm Olswang.
“While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.” (From the EU Commission Site)
The proposed data breach fines have been agreed and breaches or lack of compliance will lead to fines of €100 Million, or 4% of global revenue, whichever is higher. We discussed some of the impacts of the new European Data Protection Regulation in a previous article; here we will provide a snapshot of those rules which will be law in 2018.
The first thing is that you should look for legal advice, specific to your business. The complete Regulation is now available and being analysed by legal experts everywhere.
WHAT DOES ALL OF THE JARGON MEAN?
- This is a Regulation, Not a Directive, there will be no room for manoeuvre as each state will be legally required to fully enforce.
- The User is the individual to whom the data refers
- Controllers are anyone who uses the data, transfers the data, or stores the data on their hardware
- Notice – people whose data is being collected, processed and kept should be informed
- Purpose – data collected should be used only for the stated purpose(s) and for no other
- Consent – personal data should not be disclosed or shared with third parties without the consent of the person concerned
- Security – once collected, personal data should be kept safe and secure from potential abuse, theft, or loss
- Disclosure – people whose personal data is being collected should be told which party or parties are doing this
- Access – people should be granted access to their personal data and allowed to correct any inaccuracies
- Accountability – people should be able to hold personal data collectors accountable for following all these principles.
EVERY PIECE OF DATA RELATING TO AN EU CITIZEN NEEDS TO BE COMPLIANT
The Directive has retained the definition of personal data as:
"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity" (Article 2a).
Any data that relates to an individual in the EU, no matter how little and how difficult to relate to that individual (including collecting and storing the IP address of anyone from within the EU who visits your site, holding a phone number, or recording a call) requires their express knowledge and consent to the uses you intend.
This applies whether your company or the data are based in the EU.
WHAT ARE THE RIGHTS, POWERS AND EXPECTATIONS OF A USER? Whether you hold the data on your own system or with a third party (Cloud service or datacentre) you will be legally responsible for ensuring that the following is adhered to:
- You must inform individuals of any data you have collected about them
- You must inform those people what you intend doing with it
- Without that consent, that you cannot hold data or proceed with use of it
- After consent is given you must offer the option to opt out
- A User can request, at any time, that you delete all data relating to them.
Having a robust data management policy will be essential for every business. Having a certified Data Processing Officer might also be your next step. Each business will face its own challenges and we strongly advise that you seek legal counsel and have a trusted source review all of your data collection systems for potential risk.
SO WHERE TO START? You have less than two years to ensure that you are not fined when GDPR is enforced.
SEEK LEGAL ADVICE! We are not certified in law and this is a complicated issue with business-critical ramifications. This article is meant as a starting point for discussion and consideration only and does not define the legal responsibilities of the reader.
GET OUR FREE GUIDE: Want practical steps you can take to be ready for GDPR? Click the link or the button below to check out our free guide: What Marketers Can Do About the New European Data Protection Regulation