The General Data Protection Regulation (GDPR) determines how your organisation does business, and particularly how it manages, protects and administers data.
What is it?
The General Data Protection Regulation (GDPR) is a new European ruling, which governs the data protection rights for all individuals within the European Union. It serves to strengthen and unify all data protection rules and practices across the EU.
What changed?
GDPR puts the power back into an individual’s hands. They gain the rights to access, amend, and restrict the personal data organisations have about them.
In the unfortunate event that an organisation suffers a data breach which could compromise the security of individual’s personal data, those individuals must be told within 72 hours of the start of the breach.
Individuals also have the “Right to Portability”, this is the right to move data and services to another provider with no hassle or strings attached.
Consent
The greatest change within GDPR is the way consent is granted. Consent must be knowingly and willingly given by the individual, with organisations making their intentions for data use made clear. Soft opt-ins, implied consent, and hiding data policies within confusing T’s and C’s are all against GDPR rules.
Organisations must keep a record of why, when and how they were granted permission. There must also be details of what they were told at the time. If oral permission was granted, a script of what was said will work fine, call recordings are not essential.
Right to be Deleted
Individuals have the right to retract consent at any time, and have the “Right to be Deleted”, which means that if they request an organisation to delete their data, it should be done so immediately. It must be deleted from all backups, and the organisation should have proof of the deletion.
Right of Access
Every EU citizen has the right to ask how an organisation is using their personal data, where it’s used and why. They also have the right to request a digital copy of the data that is being held about the individual.
“There’s a lot in the GDPR you’ll recognise, but make no mistake, this one’s a game changer for everyone.”
Elizabeth Denham
ICO Information Commissioner
Right to Object
All individuals have a legal right to opt out of marketing communications. If an individual does opt out you must withdraw them from that activity immediately.
Lawful Reasoning
There are six allowable reasons for processing someone’s personal data. These are:
- You have consent from an individual
- If it is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- If it is for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- If it is to protect the vital interests of a data subject or another individual
- It is needed for compliance with a legal obligation
Who does it apply to?
The new regulation applies to any organisation around the world, who deal with EU residents, and it applies to both B2B and B2C.
Marketing to organisations?
You can call and email organisations, as these are generic and not personal data.
Using the InMail LinkedIn feature is not affected by GDPR.
You could face fines!
If you are not compliant, you could face fines of up to €20 million or 4% of your organisation’s worldwide annual turnover, whichever is greater.
FAQs
According to the Regulation, consent decays with time. However, 6 to 12 months seems to be a reasonable time frame.
No, it will either come under the lawful basis of "Performance of a Contract", or it would be "Legitimate Interest" as you already have a relationship with them and it won’t be unexpected for them to hear from you.
Only if the methodology did not match the requirements of GDPR and/or it would have decayed in that time.
On the face of it, there is a conflict. But the general understanding of the text is that organisations must carry out a Legitimate Interest Assessment, this is a three-part test - identify a legitimate interest, show that the processing is necessary to achieve it, and balance it against the individual’s interests, rights and freedoms.
If you cannot justify Legitimate Interest as the lawful basis, then you must rely on consent. If you buy data from a company that says they have obtained consent you need to be careful. The ICO guidance states "You must as a minimum include the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough".
The regulation says that consent "must be a freely given, specific, informed and unambiguous indication of the individual’s wishes". Which means your text going forward beyond 25th May 2018 must comply with that statement, and any pre-selected tick boxes are not allowed.
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Proposed regulations surrounding data breaches primarily relate to the notification policies of organisations that have been breached. Data breaches which may pose a risk to individuals must be notified to the ICO within 72 hours and to affected individuals without undue delay.
Essentially this comes under Legitimate Interest, and individuals still have the option of opting out.