The GDPR, or General Data Protection Regulation (2016/679), is a unifying update to European Union law that will apply directly to the processing of all personal data in the Union on May 25, 2018.  Prior to that date, the law of privacy in the E.U. has been governed by Member State laws passed under the E.U. Privacy Directive (95/46/EC), which had considerable variation among them.

You, as a marketer, are probably hearing more and more about the GDPR because violations can carry enormous fines that can impact even the largest multinational conglomerates and the law can apply to data processing even when it doesn’t occur in the E.U. Although stringent rules around the stewardship of personal data are not new in the E.U., the GDPR includes significant differences that are driving a global sea change in the practices, products, and agreements that relate to the handling of personal data.

In this blog, you’ll find the six most significant changes that the GDPR will bring to help you develop a more cohesive strategy for your organization.

Penalties

One of the largest changes under the GDPR is that organizations in breach of GDPR can be fined up to 4% of annual global revenue or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious combinations of infringements, e.g., not having sufficient customer consent to process data, not having a Privacy by Design process, or failing to report a data breach. It is important to note that these rules apply to both controllers and processors—which means that ‘cloud’ processors are not exempt.

Extra-Territorial Scope

Unlike the previous Directive, whose territorial applicability was ambiguous, and which applied to personal data processing “in the context of an establishment,” the GDPR is clear that it will apply to all processing of personal data “in the Union” (regardless of citizenship). Even when processing does not take place “in the Union,” the GDPR applies to organizations that have “establishments” in the Union, or who offer goods and services to people in the E.U (whether or not a purchase is made or required). It also applies to the monitoring of behavior in the E.U. Businesses that do not have establishments in the E.U., but who process the data of E.U. citizens will also have to appoint a representative in the E.U.

Consent

Consent for the processing of personal data is required any time another legal basis for processing hasn’t been decided upon and recorded by the organization. “Legalese” is out. When consent for processing is required, organizations can’t hide behind words with special legal meanings. The request for consent must be given in a clear, easily accessible form, and it cannot be mixed with other matters, such as buried within the ‘fine print’ of another document in small grey font.

It must also be as easy to withdraw consent is It is to grant it.  For instance, if an app provides an opt-in notification for some form of processing, the mechanism for withdrawing that consent should not be buried in an inaccessible part of the app.

Breach Notification

The majority of Member States did not previously have mandatory breach notification requirements, but now, under GDPR, breach notification will become mandatory in all Member States whenever a breach is likely to “result in a risk for the rights and freedoms of individuals.”  The notification must be completed without “undue delay” and “where feasible” within 72 hours of having first become aware of the breach of personal data.  Such requirements are much more rapid than the timelines for notification under U.S. state laws and HIPAA, which are measured in days, weeks, even months.

Data Subject Rights

Right to Access

Data subjects (the people about whom the personal data relates) now have the right to obtain confirmation from the data controller as to whether personal data concerning them is being processed, where, and for what purpose. The controller must also now provide a copy of such personal data, free of charge, in electronic format.

“Right to be Forgotten”
The right to data erasure, as it is also called, empowers the data subject to have the controller erase her personal data, and possibly have third parties stop processing it. The data subject may request erasure if they have withdrawn consent or the data is no longer relevant to the purposes for which it was originally collected. “The public interest in the availability of the data” may also be considered by the controller when evaluating such requests.

Data Portability

The data subject is entitled to receive the personal data in a “commonly used and machine-readable format,” and be able to transfer that data to another data controller. This right only applies when the processing has been based on an individual’s consent or for the performance of a contract, and when processing is automated, and is limited to the personal data that was provided to the controller by the data subject.
Privacy by Design
Privacy by Design, also encapsulated in Canada’s PIPEDA legislation and encouraged by the U.S. Federal Trade Commission, is only now becoming a legal requirement of the GDPR. Important principles of ‘PbD’ include privacy and security by default (and from the outset), using the minimum necessary amount of personal data to accomplish a purpose as well as not forcing the loss of functionality for the data subject due to privacy. This requirement forces organizations to embed privacy-trained personnel into their software development operations and to incorporate the consideration of privacy into the development lifecycle.

Data Protection Officers

Under the current regime, each Member State has its own registration requirements for data transfers and notifications, and notifications and registrations must be submitted to each Member State. Under the GPDR, organizations will appoint a single Data Protection Officer (DPO), who will be able to interact (in most circumstances) with a single member state data protection authority that has been designated the lead supervisory authority for the organization. The appointment of a DPO will be mandatory for controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or of special (sensitive) categories of data.
DPOs:

  • Must have expert knowledge of data protection law and practices
  • May be staff member or an external service provider
  • Must be allocated the appropriate resources to be able to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not engage in any other tasks that could result in a conflict of interest

The GDPR has enormous implications for marketers and their organizations as a whole. If your company does any business in the E.U., these changes will get you started.