With just over a week to go before the GDPR legislation kicks into effect I’m giving you a brief overview of what GDPR is, what it means for you, no matter where you are based on this planet and why you need to take action now if you haven’t already done so.
What is the GDPR?
GDPR – General Data Protection Act is a piece of European legislation intended to protect the personal data of EU Citizens. This means, in laymans terms, that companies cannot sell or trade in personal information about their customers,companies must provide easy access to edit or remove consent to use that data.
A more official definition:
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018. The GDPR replaces the 1995 Data Protection Directive. Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable
The recent Facebook brouhaha shows how damaging it can be when corporations believe they have the right to sell personal data.
From the 25th of May 2018 this will no longer be an option for the personal data of EU individuals.
If you sell to EU citizens, or hold their details on your mailing list, you are impacted by this new legislation.
Considering the fines can be in excess of 20,000,000 Euros, yup that’s 20 million euros, it’s well worth paying close attention and making changes to your processes FAST.
The good news is that if you have been following ‘white hat’, non sleazy guidelines for your mailing list then the changes needed will be minimal; I have a second post detailing the steps to take for compliance.
The great news is that the majority of third party data processors, such as Mailchimp, Constant Contact and others have all of this in hand, providing guidelines to implement the changes needed to comply with GDPR within their existing systems.
There is still time to complete everything you need to do and to help you out I’ve created a series of articles including:
- GDPR Checklist
- Swipe file for emails requesting opt in consent
Once again I stress I am not a lawyer or legal GDPR expert, nor is any of the information in this series to be considered legal advice.
What does this mean for you as an individual?
As an individual if you live in the EU you are now protected and can:
– request all data held on you to be provided to you by a company
– amend your preferences at any time
– remove your consent at any time, without needing to refer back to the company to do so (a simple opt out option in ALL communication)
My Company is Based outside the EU why to I need to understand this legislation?
As a Company, based in the EU or who has EU based customers, you must:
– provide transparency on what information is held for your customers
– provide responses to requests for information in a timely manner
– amend personal information when requested to do so by private individuals
– hold consent information for ALL personal information held by your company
– provide information on what you intend to do with the personal information held by your business (why are you keeping the info and what you will do with it)
– provide information on any third party which may be processing the information on your behalf
As a Company, based in the EU or who has EU based customers, you must not:
– force people to join a mailing list to get access to a ‘freebie’, all signups must be optional
– have a single opt in when joining a mailing list, double opt in to show consent is now required
– add people to your mailing list from a bought email list
– add people to your mailing list without their knowledge
These high level overviews are all fine and dandy but lets get into the nitty gritty of the key points…
Lawful basis for processing
Data may not be processed unless there is at least one lawful basis to do so:
- The data subject has given consent to the processing of personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
If consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data is used for. Consent for children must be given by the child’s parent or custodian, and verifiable. Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
The area of GDPR consent has a number of implications for businesses who record calls as a matter of practice. The typical “calls are recorded for training and security purposes” warnings will no longer be sufficient to gain assumed consent to record calls. Additionally, when recording has commenced, should the caller withdraw their consent then the agent receiving the call must be able to stop a previously started recording and ensure the recording does not get stored.
Right of access
The right of access is a data subject right. It gives citizens the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed as well as a copy of the actual data. Furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing, with whom the data is shared, and how it acquired the data.
Right to erasure
A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds, including noncompliance with Article 6(1) (lawfulness) that includes a case if the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.
A person is to be able to transfer personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Data that has been sufficiently anonymised is excluded, but data that has been only de-identified but remains possible to link to the individual in question, such as by providing the relevant identifier, is not excluded. Both data being ‘provided’ by the data subject and data being ‘observed’, such as about behaviour, are included. In addition, the data must be provided by the controller in a structured and commonly used standard electronic format. The right to data portability is provided by Article 20 of the GDPR. Legal experts see in the final version of this measure a “new right” created that “reaches beyond the scope of data portability between two controllers”.
The following sanctions can be imposed for breaches of the legislation:
- a warning in writing in cases of first and non-intentional noncompliance
- regular periodic data protection audits
- a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement
- the obligations of the controller and the processor
- the obligations of the certification body
- the obligations of the monitoring body
- a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions:
- the basic principles for processing, including conditions for consent
the data subjects’ rights
- the transfers of personal data to a recipient in a third country or an international organisation
- any obligations pursuant to member state law adopted under Chapter IX
- noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access
- the basic principles for processing, including conditions for consent