The General Data Protection Regulation (GDPR) from the European Union will affect everyone living in or doing business with people in the EU. It is more to be feared for much bigger organizations with a lot of sensitive data. However, even if your business has less than 10 collaborators or you are independent, it will still apply to you.
Important notice: This text is not legal advice and should not be taken as such. It is based on an investigation of official documentation, conferences and online information. For any legal advice please contact recognized professionals.
If you are familiar with good practices in marketing and already apply them, the GDPR will be easy for you to implement. On the contrary, if you have a tendency to get email addresses from people that never really agreed to receive your marketing information, then you will have to do a systemic clean-up and review your internal processes.
GDPR comes into force to help improve individuals’ rights to privacy and force businesses to implement best practices in term of digital marketing, online businesses and use of their clients data.
The GDPR encompasses the rules about collecting, storing and using personal information about European residents. Businesses have until the end of May 2018 to implement the new rules and regulations.
NOTE TO FREELANCERS AND SMALL BUSINESSES: Don’t wait until the last minute to make changes. Correct implementation implies a lot of rethinking of internal processes. Even if you are a freelancer, it means checking if the mailing lists you have are legitimate and updated; and defining a clear process for when people start asking you about the data you have from them or that you handle for a client. The information below is laid out so you can get a clear overview of the expectations both of you as a business, and your rights as a consumer.
GDPR Vocabulary:
Legal lingo can sometimes be tough but in the case of GDPR, it is meant to ease everyone’s understanding of it. So let’s dig in:
Data subject – a person or individual
Personal data – any information a business has about a person
Sensitive personal data – information about a person such as political opinions, health, sex-life or biometric data
“Controller” – the business or freelancer that defines how to use a person’s information
“Processor” – a company that processes data on behalf of a business, for example an email marketing platform
Now that you understand the lingo, let’s review the key principles of the new EU privacy law framework.
GDPR Key Principles:
The EU defined 7 principles to frame the GDRP and guide how your business will need to comply beginning no later than May 2018.
Fairness and Transparency: Your business must comply with the new laws
Purpose Limitation: You must explain to your clients what you will do with their data and not resell their information to 3rd parties without their consent
Data Minimization: You should not ask for more information from your clients than your business requires
Accuracy: You must offer the opportunity for your clients/contacts to update their information
Data Deletion: You most only keep their information for the time required to fulfill the product or service they have acquired from you, not more. Delete any contact information you have about people you do not do business with anymore
Security: It is your responsibility to inform yourself about how to keep your data secure and implement good practices within your company
Accountability: You should be able to demonstrate how you comply with the GDPR. Some key terms to become familiar with are “privacy by design”, “privacy by default” and “data protection impact assessment”. These are topics you should discuss extensively with your future data protection officer
GDPR Implementation checklist
The principles are implemented through a list of actions each company will have to comply with. So here is the checklist you have to consider to become compliant as a company or freelancer:
Basis of data processing – showing proof of consent: Can you prove where your data comes from? You must be able to demonstrate that each person gave you their explicit consent to process their information. Recommendation: Double opt-in subscription method and for your existing list, send an email to ask people to click if they want to continue receiving news from you
Use of processors: Data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller’s instruction. This means that any company’s services you use to process your client’s data must be compliant whether it’s your CRM or accounting software
Profiling: The GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject—or, “profiling.” More details on that from PWC Luxembourg
Data subject rights: Individuals can request that your business provides them with access to all personal data that you have about them, and they can request that the data be corrected, deleted, frozen, or made portable (for example, downloaded). More information further down
Breach notification: This is relevant mostly for companies that keep sensitive personal information. Individuals must be notified by the company as soon as possible and no later than 72 hours after becoming aware of a breach unless the breach is unlikely to result in any harm to the data subjects
Data protection officer: If your company is involved in regular and systematic monitoring of data subjects, then you must appoint a Data Protection Officer to ensure that your organization complies with privacy laws. If you don’t plan on hiring one full time, you should appoint someone on the basis of a service contract
Enforcement: Under the GDPR, authorities can fine companies up to €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred
Individual rights regarding their personal data under GDPR framework:
Finally, the GDPR also defines a set of Individual rights so individuals have the right to ownership over their own personal data. The list of Individual Rights is as follows:
Data Access: Any individual has the right to ask a company what kind of information they have about them
Right to Object: Data subjects can refuse to have their data processed
Data Rectification: Data subjects have the right to ask the data controller to correct or complete the information they have
Restriction of Processing: Data subjects can request to limit the processing of their data
Data Portability: Data subjects have the right to request that their data from a company be transmitted to them
Right to Erasure (Right to be forgotten): Data subjects can request to be completely removed from a company’s database. This may be limited if certain information is required for a service contract to be completed for example.
Finding accurate, updated and easily accessible information about GDPR is still quite difficult. More information is sure to be published once GDPR is underway and companies have more experience with real life implementation.
We have tried to bring you the most relevant summary following different sources of information from official text, conferences and online resources. For more detailed information, we recommend Saleforce Trailhead module on European Privacy Law Basics if you want to test your understanding of GDPR updates for 2018.