The data processors of personal data registers have to ensure and demonstrate that they comply with the data security regulation and maintain the security of personal data.
What should every marketing and communications professional know about EU's new General Data Protection Regulation (GDPR)? There is a ton of information available about this scorching hot topic right now. Getting a grasp of the massive information load – legal terminology and all – might be a challenge.
Fret not, my friend. After reading this article, you will know why you should care about GDPR, understand the main terminology and know exactly what you should do to prepare.
So let's get started.
GDPR (General Data Protection Regulation) will be enforced in all EU member states in May 2018. The regulation is aimed to harmonize EU's data protection practices and improve the privacy of EU citizens.
The regulation concerns all those organizations that collect, store and process personal data, whether it is a large listed company, a foundation, a small or an administrative organization. Because nearly all organizations maintain some sort of personal register (such as customer or member register), the regulation is applied at a very wide scope.
GDPR should be taken seriously because violations against it will result in a fine that is 20 million euros maximum or 4% of the organization's revenue from the previous year, depending on whichever is bigger.
The regulation comes into force on the 25th of May 2018. It also applies to companies located outside the EU if they store or process the personal data of EU citizens.
Before we dive more deeply into the regulation's content, let's go through some terminology:
Personal data: All data that can be used to identify a natural person. This data can be a name, an address, a social security number, an email address and network identification data.
Personal data register: A structured filing system of personal data which are accessible according to specific criteria.
Data controller: A natural person, community, bureau, foundation or other that a register is created for to use and that has the right to determine the use of it.
Data processor: A natural person, government official, bureau or other that processes the register for the data controller, such as email marketing service provider.
Data subject: A person in the register that can be identified.
Opt-in: A person's given consent for collecting and processing their personal data.
As GDPR takes effect, the data subjects' rights increase as data controllers' obligations and responsibilities grow. The regulation allows data subjects to ask for information about their personal data and its usage from organizations. They also have the right to ask for transferring and erasing of their personal data, as well as object to the processing of it.
The data controller has to make sure that they are able to deliver the requested data to the data subjects and also comply with the requests of erasing data. The data controller also needs to be able to demonstrate that they have lawful grounds to collect and process personal data. When processing personal data, the data controller needs to comply with the principles of article 5.
A few key elements of this new regulation are privacy by design and privacy by default. This means that an organization has the obligation to take data security issues into consideration when designing systems, services and practices if they are in any way linked to processing personal data (privacy by design). Organizations also need to ensure that they collect and process only the correct personal data (privacy by default).
Essentially, GDPR brings more transparency and security into the process of collecting and processing personal data. For example, previously the average Joe or Jane might have had to start rioting about violations against using their personal data. Now the data processors of personal data registers have to ensure and demonstrate that they comply with the data security regulation and maintain the security of personal data.
Make sure you know what your organization's role is in handling personal data: are you data controller, data processor or both? The role is key to what obligations and responsibilities you have.
Twitter has asked the users of the service to accept their new Privacy Policy. It states that the personal data of users is stored also outside the EU.
6. Nominate a Data Protection Officer
Nominating a Data protection officer is mandatory if data processing is carried out by a government official or a public sector organization. This officer also needs to be nominated always when the core operations of a company include processing sensitive personal data or large personal data registers. More information about nominating a Data protection officer can be found in article 37 of the General Data Protection Regulation.
Offer training for the people in your staff that handle personal data so that they are up-to-date about the changes that the new regulation brings along.
How can marketers prepare for GDPR? (and how are we preparing)
What are the effects of GDPR on email marketing and marketing automation? Invite our digital marketing and communications experts over, and we'll tell you more about preparing for GDPR.
The article was originally published on the 2nd of November 2017.
The content should not be considered as legal advice.
Mari works as a Marketing Coordinator at Liana Technologies. She’s an experienced content marketer that loves to dive into the hot topics and learn new things. GDPR checklist is an important tool and currently being applied at Liana Technologies, that is among others getting ready for GDPR changes. Mari wrote this article in close cooperation with Liana Technologies’ Data Protection Officer and our experts that interact with customers on a daily basis.
Tilaa kuukausittainen uutiskirjeemme joka sisältää aina uusimmat mielenkiintoiset artikkelit.
Key opinion leader surveys can be done as one-off by monitoring the current situation. In the best case, however, finding influencers is a part of everyday communications and marketing that includes social media and media monitoring, press releases and PR.
Read More