The European Union has taken a significant step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Under the regulations, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.
The new regulations replace the Data Protection Directive 95/46/EC
The regulations set out the responsibilities of
Data Controllers – those who determine what personal data is collected and how it is processed; and Data Processors – those that process personal data on behalf of a ‘Controller’
And gives more rights (power and control) to
Data Subjects – any individual who can be identified, directly or indirectly, by the data (Personally Identifiable Information, PII) held against them
What are the strengthened Rights for Data Subjects?
Individuals now have the
Right to be informed – clarity about who uses their data
Right of access – to see what data is held on them
Right to rectification – to have it amended if inaccurate
Right to erasure – to be deleted on request
Right to restrict processing – to specify in what ways their data can be used
WHAT SHOULD CUSTOMERS BE DOING TO GET GDPR-READY?
We understand that for our customers, in their role as data controller, meeting the GDPR requirements will take time and effort. It is likely a myriad of systems and third-party applications are in use to run their business.
If you are still at the stage of reviewing what you need to do to demonstrate compliance here is a suggested checklist:
- Create a data privacy team to oversee GDPR activities and raise awareness
- Review current security and privacy processes in place and where applicable, revise your contracts with third parties and customers to meet the requirements of the GDPR
- Identify the Personally Identifiable Information (PII)/Personal data that is being collected
- Analyse how this information is being processed, stored, retained and deleted
- Assess the third parties with whom you disclose data
- Establish procedures to respond to data subjects when they exercise their rights
- Establish and conduct Privacy Impact Assessment (PIA)
- Create processes for data breach notification activities
- Continuous employee awareness is vital to ensure continual compliance to the GDPR
PENALTIES FOR NON-COMPLIANCE
If your business is found to be in breach of GDPR you face a hefty fine. The maximum can be up to 4% of your annual global turnover or €20 Million, whichever is greater. The fines are imposed for infringements like:
- Insufficient customer consent to process data
- Not having your records in order
- Failing to notify the relevant authority and data subjects about a breach
As an organisation that collects personal data in order to fulfil a sales function, you are classed as a Data Controller. Your obligations under the regulations include, but are not limited to:
- protect personal data against accidental loss, unauthorized access, or unlawful processing (this is typically addressed in a Security Policy)
- written agreements with processors that are given access to your customer’s data, that require them to act only according to your instructions and make sure they comply with all data protection requirements (this is typically addressed in commercial contracts)
- informing the data subject (end customer) within 72 hours of first becoming aware of a data breach
In addition, you should follow the basic data protection principles of:
- Lawfulness, fairness and transparency – the basic tenets of how you handle and manage your customer data
- Purpose limitation – how long you have been keeping the data
- Data minimisation – identifying what data is held and for what purpose; and not keeping more than is necessary
- Accuracy – making sure the data you hold is accurate
- Data retention – is the data you hold still necessary for the original purpose of processing
- Security – how secure is the data you hold
DATA CONTROLLER – LEGAL BASIS FOR PROCESSING DATA
For most of the organisations, we work with this is likely to be on the basis of ‘legitimate interests’. The rationale for this can include:
- no sensitive personal data is collected (eg. racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences)
- the amount and type of data collected is minimal and deemed reasonable to expect for the fulfilment of the activity (eg. to process a sale for tickets to be delivered to a customer it is necessary to collect a name, address and payment details)
- there is a minimal privacy impact on the individual based on the range of data held and how it is used
For organisations that choose to use the lawful basis for processing data based on ‘consent’ the regulations introduce enhanced rights for individuals.
1 | CONSENT SHOULD BE EXPLICIT AND REQUIRE A POSITIVE OPT-IN
2 | IT SHOULD BE EASY TO WITHDRAW CONSENT
All email communications should carry an ‘Unsubscribe’ link and this should be recorded in the email marketing client being used. A documented process should exist defining any ‘Master/Slave’ relationships within your email client.
3 | RIGHT TO BE FORGOTTEN
Individuals have the right to request that their personal data is erased.
4 | REQUEST FOR INFORMATION
Individuals can request to see what data is held on them by the data controller – and organisations must respond within a maximum of 1 month to any such request (unless it is deemed to be complex, in which case extensions are allowed).
1 | DATA SECURITY
To support your obligation to restrict unauthorised access to personal data.
2 | TERMS & CONDITIONS
This guide is meant solely to educate you on GDPR and the information provided, and any views expressed, are those of Black Lion Media only and should not be construed as Legal advice or be replaced for Legal advice.
Black Lion Media does not take the responsibility of misinterpretation or misunderstanding of the content by the reader and Black Lion Media makes no warranties, express, implied, or statutory, as to the information in this guide.
You are advised to seek the guidance of a Legal Consultant/Advisor in your compliance project.