GDPR. What’s that?
Design & Development | Strategy
The EU’s General Data Protection Regulation (GDPR) will go into effect on May 25th of this year. Just in case you’re not a big reader (I’m not either), we decided to create this “CliffsNotes” version to help get you prepared for the upcoming regulation. For those of you still wanting to read the full text of the GDPR, it’s only fair that I warn you that is contains a great deal of legal jargon and confusing lingo. So to help you through it, we’ve included a quick glossary at the end of this post to better help understand the terms and concepts within.
GDPR – “CliffsNotes” Version
The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It standardizes data protection law across all 28 EU countries (and those that collect data from its members) and imposes strict new rules on controlling and processing personally identifiable information. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” The GDPR is made up of a number of key principles, a few of which are outlined below:
Lawful basis for processing
Data may not be processed unless there is at least one lawful basis to do so:
- The data subject has given consent to the processing of personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular, if the data subject is a child.
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.” This means that your customers cannot be forced into the consent or be unaware that they are agreeing to the processing of their personal data. They must also be told in advance of their right to withdraw consent and know exactly what they are consenting to when giving it.
Right of Access, Data Portability, and Right of Erasure
After collection, keep a record and be able to prove that consent was given and what it was given for. You need to know (and have written a record of) what data is being collected, how it’s used, where it’s stored, who has access to it, and for how long it’s needed. Do not use that data for any other reason outside of the one given at the point of collection.
- Right to access – provide the ability to for the data subject to update their information or have a procedure in place to handle information update requests
- Data portability – be able to provide the data subject a copy of all data in a common format
- Right to be forgotten – be prepared to handle requests from data subjects to delete all data and have a process in place to do so within a 30 day period
Reporting Data Breaches
The GDPR also contains a new requirement that the data controller is under a legal obligation to notify the supervisory authority (the DPC) of a personal data breach within 72 hours of learning of it, unless the data was anonymized or encrypted. In addition, if the breach is likely to bring harm to the data subject, it must also be reported to the individuals affected within that same period.
Privacy by Design and DPIA
Companies developing new systems will be required to design data protection into the development of business processes for products and services. Privacy settings must be set at a high level by default and measures should be taken by the controller to make sure that the processing of data complies with the regulation throughout the lifecycle of the product or service.
Quick GPR Glossary
Data Subject: A person who lives in the EU.
Personal Data: Any information related to an identified/identifiable data subject (name, national ID number, address, IP Address, etc.)
Controller: A company or organization that collects people’s personal data and makes decisions about what to do with it. Example – the company, you as a marketer, work for
Processor: A company or organization that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. Example – Google via Google Analytics
Data Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer (DPO): A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert.
Data Privacy Impact Assessment (DPIA): A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing.
Supervisory Authority: Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities).