Changes to the governance of data will have far-reaching consequences for your business. The new General Data Protection Regulation (GDPR) will determine how your organisation does business, and particularly how it manages, protects and administers data in the future.
What is it?
The General Data Protection Regulation (GDPR) is a new European ruling, which governs the data protection rights for all individuals within the European Union. It serves to strengthen and unify all data protection rules and practices across the EU.
What is changing?
GDPR will put the power back into an individual’s hands. They will gain the rights to access, amend, and restrict the personal data organisations have about them.
In the unfortunate event that an organisation suffers a data breach which could compromise the security of individual’s personal data, those individuals must be told within 72 hours of the start of the breach.
Individuals also have the “Right to Portability”, this is the right to move data and services to another provider with no hassle or strings attached.
The greatest change within GDPR is the way consent is granted. Consent must be knowingly and
willingly given by the individual, with organisations making their intentions for data use made clear. Soft opt-ins, implied consent, and hiding data policies within confusing T’s and C’s are all against GDPR rules.
Organisations must keep a record of why, when and how they were granted permission. There must also be details of what they were told at the time. If oral permission was granted, a script of what was said will work fine, call recordings are not essential.
Right to be Deleted
Individuals will have the right to retract consent at any time, and have the “Right to be Deleted”, which means that if they request an organisation to delete their data, it should be done so
immediately. It must be deleted from all backups, and the organisation should have proof of the
Right of Access
Every EU citizen will have the right to ask how an organisation is using their personal data, where it’s used and why. They also have the right to request a digital copy of the data that is being held about the individual.
“There’s a lot in the GDPR you’ll recognise, but make no mistake, this one’s a game changer for everyone.”
ICO Information Commissioner
Right to Object
All individuals will have a legal right to opt out of marketing communications. If an individual does opt out you must withdraw them from that activity immediately.
There are six allowable reasons for processing someone’s personal data. These are:
- You have consent from an individual
- If it is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- If it is for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- If it is to protect the vital interests of a data subject or another individual
- It is needed for compliance with a legal obligation
Who does it apply to?
The new regulation will apply to any organisation around the world, who deal with EU residents, and it applies to both B2B and B2C.
Marketing to organisations?
You can call and email organisations, as these are generic and not personal data.
Using the InMail LinkedIn feature is not affected by GDPR. However the EU and ICO have not made it clear about other social media platforms.
You could face fines!
If you are not compliant by the 25th May 2018, you could face fines of up to €20 million or 4% of your organisation’s worldwide annual turnover, whichever is greater.
According to the Regulation, consent decays with time. However, 6 to 12 months seems to be a reasonable time frame.
No, it will either come under the lawful basis of "Performance of a Contract", or it would be "Legitimate Interest" as you already have a relationship with them and it won’t be unexpected for them to hear from you.
Only if the methodology did not match the requirements of GDPR and/or it would have decayed in that time.
On the face of it, there is a conflict. But the general understanding of the text is that organisations must carry out a Legitimate Interest Assessment, this is a three-part test - identify a legitimate interest, show that the processing is necessary to achieve it, and balance it against the individual’s interests, rights and freedoms.
If you cannot justify Legitimate Interest as the lawful basis, then you must rely on consent. If you buy data from a company that says they have obtained consent you need to be careful. The ICO guidance states "You must as a minimum include the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough".
The regulation says that consent "must be a freely given, specific, informed and unambiguous indication of the individual’s wishes". Which means your text going forward beyond 25th May 2018 must comply with that statement, and any pre-selected tick boxes are not allowed.
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Proposed regulations surrounding data breaches primarily relate to the notification policies of organisations that have been breached. Data breaches which may pose a risk to individuals must be notified to the ICO within 72 hours and to affected individuals without undue delay.
Providing they meet the new rules, existing consents should still apply. Where personal data is processed for direct marketing, the individual’s right to object should clearly be brought to their attention.