On May 25, 2018 the European Union (EU) will put into effect the General Data Protection Regulation (GDPR). The GDPR will strengthen and unify data protection of all individuals who reside in the EU. The GDPR is one of the most comprehensive data privacy regulations in the world and is part of an ongoing effort by the EU to create a privacy-based framework that will ultimately culminate in the release of the ePrivacy regulations sometime in the near future.
The primary aim of the GDPR is to give control to EU citizens and residents over personal data and to create a unified framework that all members of the EU can adopt to protect citizens. With personal data – and the misuse of personal data – becoming critical conversation points across the Globe, understanding the implication of the GDPR is important for any business.
In general, the GDPR requires companies to comply – regardless of their location of business – if at least one of the following is true:
That list comprises just about every business. For non-EU businesses, the most important clause of the GDPR is that it applies to any organization operating within or outside of the EU which offer goods or services to customers or businesses in the EU. This, of course, means that any business that advertises or sells products or services online is directly impacted by the GDPR regulations.
The GDPR makes a distinction between two different types of business entities: Controllers and Processors. Controllers are organizations that determine what data to collect and how data should be used, and processors are the companies that manipulate or use the data on behalf of controllers. It’s possible for a company to be both a controller and a processor. Processors of data have greater requirements under the GDPR when it comes to data breaches and the handling of personal data. The GDPR places legal obligations on processors to maintain records of personal data, how it is being processed and how “permission” was obtained. Controllers, on the other hand, will be responsible for ensuring that any “processors” they do business with are also in compliance with the GDPR.
The GDPR is very clear about what information constitutes “personal data.” This includes name, address and photos, but also extends the definition to data elements that can be used to target an individual – such as their IP address. The GDPR also makes special mention of data elements like genetic data, biometric data, religious affiliation, and other sensitive personal data.
The GDPR also requires significant changes to the granularity that businesses must use when working with personal data from consumers. To be GDPR compliant, organizations must provide consumers with means of controlling their data and – if desired – be removed from a data set. This has significant implications for businesses who might want to “repurpose” data – for instance, under GDPR regulations, if a user has signed up for a newsletter, you are not allowed to target that user for other types of advertising and offers, without first getting consent.
Another key element of the GDPR is to give consumers the right to know when their data has been hacked. Organizations will be required to notify the appropriate national organizations within 72 hours to ensure that EU citizens can take measures to protect their data from being abused. The GDPR also explicitly requires companies to allow consumers to have their personal data deleted when citizens no longer want it to be processed, and when there are no grounds for retaining it.
Yes, and they can be severe. Breaches can cost companies up to 20 Million Euros or up to 4% of their annual global turnover. Some infractions are less expensive than others but are still significant. Whether the EU will actually impose fines of that size is hard to forecast, the rules have been written in a way to allow regulators some “wiggle room” and impose smaller fines, but there are no guarantees of leniency.
At Milestone we have always taken data privacy and data protection seriously. We are currently working on making the necessary changes to our technology and our internal policies and procedures. Many of our practices and technologies are already in compliance, but we strive to ensure we are fully compliant. We will be sharing more information about Milestone and the GDPR in the near future.
The most important change for any consumer-facing business is the notion of “explicit consent.” Explicit consent means that you must explain to customers what data is being collected, why the data is being captured and who specifically is requesting the data or will have access to it. This is critical since, once you have specified your data collection purposes, you are not allowed to expand that purpose without gaining a new consent. In our earlier example of signing up a user for an email newsletter, you must gain new acceptance if you want to expand usage of that data for other purposes.
In addition to compliance, the GDPR also specifically requires that organizations hire a Data Protection Officer (DPO) if any of the following are true:
As a rule, the more data you process, the more likely you are to need a DPO. As for “core activities”, these are defined as activities necessary to achieve your business goals. For example, an HR outsourcing company that manages and processes payroll and benefits for clients would need a DPO, since HR management and handling of HR records is core to the business. On the other hand, a retailer with an HR department that processes payroll may not need a DPO, at least not because of their payroll processing, since payroll is not central to that retailer’s business goals. If the use of personal data is in any way critical to the success of your business, a DPO may be necessary.
Below is a checklist of some of the aspects of the GDPR that will impact your business. Note that some of these items may apply to your “data processor” and not to your business directly. This list is not meant to be a comprehensive list of GDPR requirements, but is provided for informational purposes:
This information is different from legal advice, where an attorney applies the law to your specific circumstances, consult an attorney if you’d like advice on any of the above information, the accuracy of the information or about the GDPR in general. You may not rely on this content as legal advice, nor as a recommendation of any legal understanding.
In the webinar, Milestone President Benu Aggarwal and VP of Marketing Erik Newton shared their thoughts on the…
2021 was a great year for Milestone as we innovated through the challenges of a…
Amstar DMC provides world-class destination services and guided tours to individuals, travel agencies, tour operators,…
HSMAI has recognized the compassion and achievement of the 1440 team with a 2021 HSMAI…
Recent trends in social media usage have evolved more than ever and it is evident…
While competing in the local market, covering all possible touch points to engage with customers…