What is the GDPR and how you should prepare for it? A broad overview of the GDPR
The very basic aim of GDPR is to allow people to control the data that is being collected about them.
The change is coming at a good time – a whopping 67% of Europeans expressed concern about the control of their personal data.
If you’re not based in the EU, you’re probably thinking ‘This probably doesn’t even apply to me’. Well, it does.
Even if you’re not based in the EU, you still must be GDPR-Compliant if you’re marketing or planning on marketing your services or goods in any of the 28 EU member states.
What’s more concerning is this data: Respondents who said previously that they provide personal information online were asked how much control they feel they have over the information they provide. Just 15% of people in this group feel they have complete control, while half (50%) say they have partial control, and nearly a third (31%) feel that they have no control at all over their personal information online, according to europa.eu:
That means that people generally don’t feel like they can fully control information businesses tend to have. It’s quite the opposite.
And that has to change.
We get it. New regulations aren’t always perceived as good, especially by global businesses. This time, Europe came up with a new set of rules called the GDPR (General Data Protection Regulation). It’s basically a replacement for the DPD (Data Protection Directive). The latter was drafted in 1995 (a really, really long time ago, taking into account the progress businesses made). The DPD had worked really well at the time it was originally established. But as the world changed, regulations must adapt too. Due to this, GDPR was passed as uniform law and will be the first regulation of its kind – it applies globally and universally.
What is personal data?
It’s one of the most important aspects of the transition from DPD to GDPR. Previously, personal data was interpreted as a person’s photo, email address, name, address, personal identification numbers (passport number, bank account number, etc.).
By GDPR definition personal data means: ‘Any information relating to an identified or identifiable natural person (‘data subject’), such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’.So as you see, personal data definition was broadened. It includes data such as Name, Photo, Email address, Personal identification numbers, IP address, Phone number, Physical address, Mobile Device Identifiers, Geo-Location, Economic Status, Religious beliefs, Sex Life, Genetic data and so on.
In short, it’s a positive change for the consumer, but at the same time, it complicates the marketing process. For example, the practice of marketing using the consumer’s purchase history, cookies, etc. is no longer legal unless the individual specifically opted in for it.
From now on, the use of personal data requires explicit consent. The consent must be informed, specific and unambiguous. Agreeing to Terms and Conditions doesn’t count as consent anymore, silence or inactivity, too. Also, different types of data require separate consent to avoid the individual agreeing to everything or nothing.
As mentioned in the previous article, these are the new rights given to the consumer:
The right of access by the data subject. The data subject (the EU resident) will now have the right to know what data is being processed about them and how exactly it’s done. (Article 15)
Right to rectification. The data subject will have the right to request that incorrect data about them is corrected. You may access your account details and correct them at any given time in the ‘Account’ section. (Article 16)
The right to erasure. The data subject can request that the data concerning him or her be erased without undue delay. (Article 17)
The right to the restriction of processing. The data subject shall have the right to obtain from the controller (the Sender.net user is the controller) restriction of processing. If you’re interested in the specifics, read the whole article. (Article 18)
The right to data portability. The data subject shall now have the right to receive the personal data concerning him in a structured, commonly used and machine-readable format in order to switch their data to a competitor. (Article 20)
The right to object. The user has the right to prohibit certain types of data usage. If you’re looking for more information, read the whole article. (Article 21)
Data processors and Data controllers
The data controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Under the DPD, only the controllers were held accountable for the misuse of the data.
The term “processor” refers to any entity that processes personal data under the controller’s instructions (e.g., many service providers are processors). So, the Data processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Under the GDPR, Processors will also be liable for the security of personal data.
Source: White Case
Data protection officer (DPO)
According to the Data Protection Commissioner:
The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s accountability-based compliance framework. In addition to supporting an organization’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organization).
The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.
A data protection officer will have to be appointed in most larger companies. A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organizations, which are all options provided for in the GDPR. It is important to note that DPOs are not personally responsible where an organization does not comply with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor.
So, who needs a DPO?
1. All public authorities and bodies, including government departments.
2. Where the core activities of the organization (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale.
3. Where the core activities of the organization consist of special categories of data (ie health data) or personal data relating to criminal convictions or offenses.
One of the main points of the GDPR is to make ‘Privacy by design’ automatically included even when generating new development plans, product ideas, etc. in business. Basically, this means that GDPR standards must be met by default, even when merely planning a release of a new product or a new feature. For example, Privacy by design in GDPR standards requires that any data that is no longer required be discarded by the data controller.
In the DPD times, when each EU country could adopt different data breach notification laws. That was a headache for any bigger companies or corporations because it meant that it had to fully comply with a bunch of different legal requirements, which of course, differs in nearly all member states.
Now, there is only one requirement to follow:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” – Article 33
Unlike the DPD, the non-compliance with the GDPR penalties for companies can range from 2-4% of global turnover or 20 Million Euros (Whichever is higher). The penalties could be imposed for any intentional or simply negligent violation of the GDPR. Less serious violations: Up to 10 million euros or 2% of total annual global turnover. For the severe ones, it may reach up to 4% of the global turnover.
It’s a fact the GDPR will affect a lot of, if not most people in the world in some way. It’s important to remember that personal data definition was expanded, which means that a lot more additional data is now considered personal, thus increasing the need for security and privacy. For businesses that are just getting it started, keep in mind the ‘Privacy by design’ concept and you won’t have any difficulties with the GDPR. Why? Because the GDPR will probably apply to you if not now, in the future.
If you’re still looking for more information on the GDPR, here are our other articles on the topic:
Onward & Upward,
NOTE: The article wasn’t written by a legal expert. The article is not meant to be taken as legal advice, it is merely an overview. If you have any legal questions regarding the GDPR, please seek professional legal counsel.