On May 25, 2018, the General Data Protection Regulation (GDPR) becomes law in all EU member states. You may think it doesn’t affect you, but indeed it may if you are an international organization or have contacts in your database based in the EU. It relates to the privacy and security with which you manage the records in your control.
The party line is that you will need to comply with these regulations that are a part of this law beginning May 25 or face the possibility of penalties. The reality is it may not be as dire as that, but you do need to learn about GDPR and how it affects your organization.
enSYNC will be hosting a webinar on March 15 to discuss the implications of GDPR, but in the meantime, you should get prepared by learning all you can about the law and taking some proactive steps.
While in practical terms, GDPR applies only to contacts you may have in EU countries, it is an opportunity for you to tune up your privacy policies for all database records – and that’s not a bad thing. With data breaches prevalent and attracting attention, with the public concerned about their privacy and the security of their personal information, it is worthwhile for you to adopt some strict privacy policies. GDPR helps move you in that direction.
First a few definitions of the entities covered by GDPR:
Data Subject – This is the owner of the data, the member whose personal data you are keeping.
Data Controller – This would be your organization. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Data controllers have the obligation to oversee the rights of the data subjects and also to report data breaches.
Data Processor – This may be your organization as well, but it may also be someone you outsource to. As stated in the law, it is “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” In other words, while the controller is the entity that makes decisions about processing activities, the processor is any entity contracted by the controller for working with the data. This may extend to any cloud service providers who are storing the data on your members.
In a nutshell, GDPR is all about protecting and securing the rights and privacy of data holders. To preserve privacy, you must:
These are the rights conferred upon the data subjects (again, these would be your members).
Right to be informed
If anyone requests it, you must be clear on how you process data, who processes it, and where it could end up. We suggest you prepare a succinct statement so that you might be able to share this information with anyone who asks and also to update and post a privacy policy on your site.
Right of access
Individuals who want to review their full record, may fully scrutinize the data you store on them.
Right to rectification
Furthermore, they have the right to correct any incorrect information stored about them.
Right to erasure
There are several reasons why members can request erasure of their personal data: it’s no longer necessary for you to hold it, they withdraw their consent for you to process their data, the data relates to a child, or you have unlawfully processed it.
Right to restrict processing
This is similar to the above reasons.
Right to data portability
Individuals can request and reuse data held by you and you must provide it to them in a commonly used format that they can access.
Right to object
If you use data for direct marketing, individuals have the right to object to this usage.
Right not to be subject to automated decision-making
Data subjects have the right to object to the use of their data for the purposes of data decision making. They can object to using variables such as purchasing habits, location, or basic demographics in this way.
Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. It is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data.
Pseudonymization is different than encryption and encryption must also be used to keep data secure.
This might be an individual on staff, or in the case of a smaller group, you might outsource this to a firm who could perform such duties as keeping current and advising on data protection standards, monitoring compliance with GDPR, and serving as the contact point for issues relating to the processing of personal data.
Under the GDPR, consent must be “freely given, specific, informed and unambiguous.” This consent may include ticking a box on a website or another statement or conduct that clearly indicates assent to the processing. “Silence, pre-ticked boxes or inactivity,” however, is not sufficient to confer consent.
While marketing automation is not stated as a term that is strictly prohibited, GDPR does make several references to taking action in automated ways. Under Article 4(4), data processing may be characterized as “profiling” when it involves “(a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person.” It is worth reading these provisions in a thoughtful way, so that you are avoiding profile-based automated decisions.
And you must be able to comply by transferring that data in a commonly used format if requested.
There are many facets to this new regulation. We encourage you to read the law and make your own interpretations so that you can take the appropriate steps to protect your organization.