GDPR – What you need to know

If you haven’t heard about GDPR yet then I hope that your 6 month sabbatical was a fantastic experience, but let me fill you in on what you missed while you were away!

GDPR stands for the General Data Protection Regulation  and is a 200 page regulation that has been four years in the making. This piece of legislation has been in a two year transition period, it is due to be enforced from May 25th 2018 and will update the rules governing the way we can use and store personally identifiable information.

If you do a quick search on the web then you can find a lot of information that relates to GDPR but we thought it might be useful to provide a quick summary for you now we are only 6 months out from full enforcement.

So what exactly is it? Unless data protection and governance is a major part of your role, then you probably don’t need to read the whole 200 page journal entry but if you do, here is where you can find the underpinning legislation and the directive.

One of the best resources that we have found is a guide released by the legal firm Bird and Bird  their guide does a really good job of explaining some of the jargon and will help you understand the level of impact that the changes may have on your business.

To make it even simpler, we have listed out some of the most prominent changes so you can atleast get an idea of what it may mean to you and if it warrants you taking more time to understand how best to prepare.

The first thing to be really clear on is that whilst this a European regulation, it not only affects businesses based within the EU but also any business without an EU presence but that targets EU Individuals, the fines imposed will also reflect the global business and not just the European part of an organisation.

Another key point to understand is the reference to data controllers and data processors, A controller determines the purposes, conditions and means of the processing of personal data, while the processor will process personal data on behalf of the controller.

Now on to the actual rules, the main changes of note are:

  • Consent:
    • This is subject to additional conditions under the GDPR, there is prohibition on bundled consents they must be separable and easily revoked.
  • Stronger rules around the right to be forgotten (erasure) and to restriction of processing
    • Individuals can request to withdraw consent, data controllers must also contact third parties if they have made the data public – this could have a particular impact if you are using a DMP with a third party data marketplace
  • Special categories of Personal Data will require additional consent
    • Genetic data and biometric data, higher quality of consent is required
  • Fair and transparent processing of data
    • Controllers must provide clear and concise notices, applies to data collection partners too
  • Subject access, rectification and portability
    • Data controllers must confirm if they process an individuals data, provide a copy of the data and supporting/explanatory materials, this basically means that you need to be able to export all the data that you hold on an individual at their request.
  • New restrictions on profiling and automated decision taking
  • Data Governance obligations
    • Data Protection Officers (DPO) will be recommended (required for some orgs) for privacy impact assessments, audits and policy reviews
  • Personal Data breaches and notifications
    • Data controllers and processors must report breaches and maintain a register, non-compliance is a €10M fine or 2% of WorldWide annual turnover
  • New codes of conduct and certifications are to be introduced
  • Regulations on transfers of personal data
    • Significant for global organisations that process EU data outside of the EU, this supersedes ‘safe harbor certifications’ and there will be fines of up to 4% of annual turnover for a breach

Breaches or notifications in most cases refer to loss of data, breach of security or unauthorised disclosure of personal data.

As you can see, there is a lot to consider but I do believe there is opportunity within this additional regulation. Marketers will be able to fast-track personalisation projects or justify marketing strategies within the need for greater governance and compliance. We all know that good data is the secret to excellent customer experience and GDPR will effectively force us to have clean data and get closer to a single view of the customer.

Here are some other useful resources:

Guide to preparing for GDPR – https://tealium.com/the-general-data-protection-regulation-gdpr/

GDPR training: https://www.jellyfish.co.uk/training/blog/what-is-gdpr-9-faqs

Identifying the impact of GDPR – https://www.dataiq.co.uk/land/gdpr-and-data-preparation-ready-do-business

What you need to know about GDPR – http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018

Additional guides and resources: https://www.eugdpr.org/eugdpr.org.html