Understanding the EU's new General Data Protection Regulation (GDPR)
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organisations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Parsing the definition: what is data?
So how do you define personal data? Under the new law, personal data is interpreted as any information relating to an identified or identifiable person. This means data that includes a person’s name, identification number, location data, online identifier, or any other information specific to a person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
The new regulation also deals with how information is processed. In this context, ‘processed’ means any operation or set of operations which is performed on personal data or on sets of personal data. This can include data collection, storage, retrieval, consultation, use, disclosure by transmission, dissemination, or even erasure or destruction.
The GDPR’s definition of personal data and and processing methods essentially cover all the use cases that organisations who are “processing personal data” would need to identify. For example, a website that collects a username and an email would need to be compliant with GDPR, as would an ecommerce store that fulfills orders, tracks delivery status, and retains the financial information of its users.
The details around data collection
GDPR sets out specific principles that organisations that use personal data need to adhere to:
- Data must be processed lawfully, fairly and in a transparent manner
- Data must be collected for specified, explicit and legitimate purposes
- Data collection must be adequate, relevant and limited to what is necessary
- Data should be accurate and, where necessary, kept up to date
- Data should be retained only for as long as necessary
- Data must be processed in an appropriate manner to maintain security
While it might seem common sense, some of these principles actually have profound implications on how organisations use data and what they can do with that information. Given the nature of EU legislation, it is not just large enterprises that are worrying with data protection and security. The new regulations will apply to everyone who collects emails or other information for their marketing, tracking and optimisation strategies, regardless of the size of their operations.
What this means for marketers
I’d like to pay special attention to principle 1: “Data must be processed lawfully, fairly, and in a transparent manner.” But what does that mean? The answers can be found in GDPR’s Article 6 “Lawfulness of processing”. Going through the list of compliance checks laid out in Article 6, there is one point that stands out:
The data subject gives consent for one of more specific purposes.
This requirement alone means that each individual who hands over their data must give explicit consent for their data to be used. Article 7 goes on to define conditions of consent as:
- Demonstrate that consent was given
- Consent must be clear, intelligible and easily accessible otherwise not binding
- Consent can be withdrawn any time and should be as easy to withdraw as give it
Oftentimes, users are asked to tick checkboxes on webforms to show consent. Unfortunately, sometimes the wording on these checkboxes isn’t clear, or users are asked to opt-out rather than opt-in to services. Under the new regulations, the wording must be clear: users must explicitly opt-in to data processing services, rather than opting-out.
It’s also important to note that GDPR covers all EU citizen data, regardless of where a company may be located. Any company that uses EU citizens’ data must comply with this new regulation, even if they’re on a different continent. Because this sweeping regulation carries massive fines if violated, companies should start preparing to comply with the new laws. There are only 10 months until the regulation becomes official on the 25th of May, 2018.
Even if you’re unsure if you need to comply with the law, in this case you’re better off safe than sorry. It’s easier to make preparations just in case than to pay off massive fines if you’re found to be in violation of the new regulations. To speak with a GDPR-certified expert, feel free to contact FFW with any questions you may have about securing and storing your users’ data.