Answers to Basic Questions
GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents. This legal framework replaces the current EU Data Protection Directive with additional requirements that you need to be aware of. The new EU data protection regime extends the scope of the EU data protection law to all companies even outside the EU when they process data of EU residents. GDPR makes no distinction between B2B and B2C and applies for both of them. Even though PECR allowed soft opt-out approach in email marketing, the new ePrivacy Directive is under review and is going to align with the GDPR.
GDPR will officially apply from 25th May 2018, at which time those companies or organisations in non-compliance may be subject to fines. GDPR applies to persons and entities of all sizes that process personal data of EU residents, regardless of where they are based. These regulations apply to both data controllers and data processors, including third parties such as cloud providers. It applies to all 28 EU member states and to entities and organisations outside the EU when processing the data of citizens within it. No.
GDPR comes into effect before the UK officially leaves the European Union on March, 29th 2019. An equivalent set of data protection regulations need to be in place to continue trading with the EU. The maximum penalty for organizations in non-compliance with GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
Answer a few questions and assess your company according to the new General Data Protection Regulation.
A comprehensive guide to the General Data Protection Regulation
The General Data Protection Regulation puts regulatory teeth into longstanding governmental guidance about how EU member states handle personally identifiable information. This level of regulatory overview of personal data is unprecedented and will require companies to ensure the highest levels of-of privacy protection or suffer dire financial consequences. The GDPR is the latest in a series of EU parliamentary measures designed to put the highest levels of protection around personal data. Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels. The GDPR operates with an understanding that data collection and processing provides the basic engine that most businesses run on, but it unapologetically strives to protect that data every step of the way while giving the consumer ultimate control over what happens to it.
According to GDPR, companies must ensure that customers have control over their data by including safeguards to protect their rights. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure. GDPR requires companies that process large amounts of data to hire dedicated personnel to manage all aspects of GDPR compliance. The US Commerce Department-created EU-US Privacy Shield framework was implemented specifically to comply with transatlantic data protection requirements.
It’s likely that companies will have to adapt standard marketing processes, such as data mining, location targeting and remarketing, and think of new ways to handle data. The GDPR assigns liability to the data processors and controllers and does not require smaller operations to hire a data officer.
consent under the GDPR
We’ve already tackled some myths around consent when it comes to the General Data Protection Regulation and you’ll be pleased to hear we’ve now published our final detailed guidance on consent to help you on your GDPR journey. From marketing agencies, to clubs and associations, to local authorities, consent has been a hotly debated topic. Myth #9 We have to get fresh consent from all our customers to comply with the GDPR. You do not need to automatically refresh all existing consents in preparation for the new law. The GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard.
If they do there is no need to obtain fresh consent. Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent. It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily. If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.
Organisations risk non-compliance if their emails are difficult to follow and key information is lost at the end of long text – people must clearly understand what they are consenting to. Some have said that they will lose customers by bringing their consents to the GDPR standard. As the Commissioner said in her blog ‘consent is not the ‘silver bullet’ for GDPR compliance’ consent is one way to comply with the GDPR, but it’s not the only way.