What Does GDPR actually mean..without Legal Speak!

On May 25, a new legislation called GDPR came into effect in Europe. GDPR stands for General Data Protection Regulation, and its provides enhanced data protection rights to EU citizens.

Do I need to comply with the new legislation?

If your business has an entity or is based in the EU, and/or if your business is based outside of the EU but collects and processes personal data of EU citizens, then GDPR applies and you will have to comply with the updated policies.

Outside of this definition, compliance is not mandatory, but it’s a good time to take a look at your business’ data processing terms and privacy policies to support the protection and security of information belonging to individuals.

It could also be a good time to make any necessary upgrades to workplace training, conduct and policies to ensure your business is inline with what the GDPR really represents, which is the right for all of us to protect and control our personal information.

What happens if I don’t comply?

Non compliance can lead to hefty fines. For lower level infringements, this could result in fines of up to €10 million, or 2% annual global turnover (whichever is higher), and for higher level up to €20 million, or 4% annual global turnover (whichever is higher). To put the fines into context, companies such as Google or Facebook could face fines up to a few billion dollars for non-compliance.

Besides fines, regulatory authorities can impose data processing bans, data erasure or suspending data transfers to other countries.

What makes GDPR different to other data protection laws?

Data protection is not new, and pretty much every country has data protection legislation. However, under GDPR, the definition of “personal information” is expanded from general data such as name and email to include things like genetic data, IP address, photos or videos and device IDs.

The inclusion of “data processors” in the GDPR is also new. Traditional privacy laws focus on controllers, or entities that collect data. Under this new legislation, those who look at the data and process it are also included and subject to its provisions. For example, Sparkline would be considered a data processor, an entity that doesn’t collect data but analyses it to extract insights.

Am I a data controller or processor?

Sometimes a business can be both a data controller and processor, for instance, an airline. They collect data on your flight bookings and/or loyalty membership, as well as process the data to offer you more relevant offers and better experiences.

Any individual or business entity (this could be a corporation, partnership or limited liability company) can be a data controller. If you use information such as email addresses to send newsletters to your subscribers/customers, then you are a data controller. If you use cookies to re-market to your website visitors or customer, then you are a data controller. if you use your website users’ behavioral data or browsing history to provide personalised user experience, then you are a data controller.

Who is protected by this new legislation?

People covered by the new protections are referred to as “data subjects”. Data subjects are considered EU citizens residing in the EU, as well as those who may be travelling or temporarily residing in the EU. So basically, if data is processed within the EU borders, those people are covered as data subjects.

Once you leave the EU borders though, whether you are an EU citizen or not, you are no longer covered as a data subject, and local data processing and privacy protections would apply as they always have.

What protection does the new legislation offer people?

GDPR offers data subjects a list of rights to which they are entitled, regarding the storing and processing of their data.

#1 The right to be notified of a data breach

Under GDPR, whenever there is a personal data breach, the data processors must notify the data controllers. The data controllers must notify supervisory authorities and data subjects as soon as possible. This must be done within 72 hours of first having become aware of the breach.

#2 The right to access their data

GDPR requires more transparency between businesses and individuals at the time of consent regarding data collection and use.

All data subjects have the right to know:

If their personal data is being used
How they can access it
How they can change or delete it
Why it’s being used or who it’s shared with
How long it will be stored

#3 The right to be forgotten

If a data subject asks you to erase his personal data, you must comply ASAP (provided you have no legal grounds to keep processing it). You should delete data subjects’ information in the following events: you no longer need it, the data was used unlawfully, or if a data subject exercises their right to object.

#4 The right to object

A data subject has the right to object at any time to their personal data being used for direct marketing or any other legitimate purpose. For example, if a data subject asks you to stop retargeting them, then you must do so.

#5 The right to rectification

A data subject has the right to ask you to update their personal data if it’s incorrect or incomplete.

#6 Privacy by design

Privacy by design is an approach to designing projects, processes, products or systems that promote privacy and data protection compliance from the start. This concept expects data controllers to hold and process only the data absolutely necessary for the completion of its duties (called “data minimisation”), as well as limiting the access of personal data to those needing to process it.

How will these rights be enforced?

Large organisations are required to appoint DPOs (data protection officers), in a lot of cases, more than one. Their job as GDPR experts is to enforce compliance within a company and are in charge of all data processing within organisations. In each EU state there will be a Supervisory Authority, who will have the power to conduct audits, order compliance with GDPR and issue fines and warnings.

Disclaimer: Sparkline are data people, not legal people. We recommend that you seek proper legal advice for any business decisions, just as we did!

Putting GDPR Into Practice

It’s easy to see why the new GDPR legislation has thrown businesses around the world into a spin. Ascertaining whether or not your business needs to make changes in order to be GDPR compliant and then managing these changes can be a daunting prospect.

With big companies heavily promoting their data privacy and protection updates, investing and boasting about buzz recognition certs like SOC-2, ISO 27001, and the EU-U.S. Privacy Shield, knowing what your business needs to do can be overwhelming.

It’s good to keep in mind that these large businesses have had law firms and legal teams preparing their compliance for the past 18 months in preparation for the legislation.

What can I do to ensure my business is GDPR compliant?

Ensuring GDPR compliance within a business can be difficult to implement, enforce and educate teams when you have such a large scaled organisation, with a lot of data and plenty of room for error.

The first step is knowing if your business is physically based or has an entity in the EU. Finding out whether or not your business collects and processes the data from EU citizens is tricker.

Ask yourself these questions to judge the risk of breach and assess the levels of compliance necessary for your business:

Do you sell products or services targeting EU citizens?

Do you have data showing people in the EU bought your products?

Do you track digital properties such as a website or app with marketing tech tools, and is there a possibility or reality of an EU citizen landing on one of these properties?

Do you target EU citizens through marketing?

Have you in the past collected, or are actively collecting, data of EU citizens through surveys, or has an EU citizen emailed you or your business questions on products and services?

If you think there are chances of the above, then you need to assess your risk and decide what actions are necessary. Do you need to review your own data processing policies? Do you need a lawyer to review your privacy policies? All of these questions come back to your perspective on the relevance of these changes to your business and the risk inaction poses going into the future as GDPR comes into full effect.

Disclaimer: Sparkline are data people, not legal people. We recommend that you seek proper legal advice for any business decisions, just as we did!

GDPR – Advice

Has your inbox been flooded with updated privacy policies and data processing terms in the past few months? The reason is a new legislation in Europe, called GDPR, which makes it harder for businesses to keep personal data, as well as governing how businesses can collect and use information.

GDPR stands for General Data Protection Regulation, and from May 25 it provides enhanced data protection rights to EU citizens. In the future, the legislation is predicted to move beyond Europe, particularly in light of recent cases where established analytics companies have been accused of obtaining and using people’s data without their consent.

As people become more wary of how their data is being stored and used, we expect that more stringent laws such as GDPR will come into play elsewhere in the world.

If you are a business and have a website, mailing list, shop or any kind of facility for collecting and/or processing data (which is virtually every business), you should be aware of GDPR and what you should do to be compliant.

  • Consult a lawyer or legal firm’s advice if you are in the data collection or processing business.
  • Apply logic to the new policies. With every decision, think about the risk to you/your business and whether you need full overhauls of privacy policies or just tweaks. Most countries already have data protection laws, so if your business complies with existing laws, the GDPR update is simply a further tightening of what’s already in place.
  • Don’t panic. These new laws are good for all of us! The new legislation gives the power of information back to the people that should have it: you!
  • Making large organisations compliant presents the biggest challenge, where there is a lot of information stored in numerous places and managed by many groups. If this is you, consider how your business can maintain stringent data policies. What tweaks need to be made to your existing technology? What training will your teams need and what permissions will need altering for consumers? You’ll also need to look into what governance tools you can use to catch instances of PII (public identifiable information) leakage, as well as maintaining data quality and accuracy.
  • Take a look at Sparkline’s Web and Mobile analytics auditor to help enhance the quality of your data and limit PII leakage in scalable ways.

Disclaimer: Sparkline are data people, not legal people. We recommend that you seek proper legal advice for any business decisions, just as we did!