The data processors of personal data registers have to ensure and demonstrate that they comply with the data security regulation and maintain the security of personal data.
What should every marketing and communications professional know about EU's new General Data Protection Regulation (GDPR)? There is a ton of information available about this scorching hot topic right now. Getting a grasp of the massive information load – legal terminology and all – might be a challenge.
Fret not, my friend. After reading this article, you will know why you should care about GDPR, understand the main terminology and know exactly what you should do to prepare.
So let's get started.
GDPR (General Data Protection Regulation) will be enforced in all EU member states in May 2018. The regulation is aimed to harmonize EU's data protection practices and improve the privacy of EU citizens.
The regulation concerns all those organizations that collect, store and process personal data, whether it is a large listed company, a foundation, a small or an administrative organization. Because nearly all organizations maintain some sort of personal register (such as customer or member register), the regulation is applied at a very wide scope.
GDPR should be taken seriously because violations against it will result in a fine that is 20 million euros maximum or 4% of the organization's revenue from the previous year, depending on whichever is bigger.
The regulation comes into force on the 25th of May 2018. It also applies to companies located outside the EU if they store or process the personal data of EU citizens.
Before we dive more deeply into the regulation's content, let's go through some terminology:
Personal data: All data that can be used to identify a natural person. This data can be a name, an address, a social security number, an email address and network identification data.
Personal data register: A structured filing system of personal data which are accessible according to specific criteria.
Data controller: A natural person, community, bureau, foundation or other that a register is created for to use and that has the right to determine the use of it.
Data processor: A natural person, government official, bureau or other that processes the register for the data controller, such as email marketing service provider.
Data subject: A person in the register that can be identified.
Opt-in: A person's given consent for collecting and processing their personal data.
As GDPR takes effect, the data subjects' rights increase as data controllers' obligations and responsibilities grow. The regulation allows data subjects to ask for information about their personal data and its usage from organizations. They also have the right to ask for transferring and erasing of their personal data, as well as object to the processing of it.
The data controller has to make sure that they are able to deliver the requested data to the data subjects and also comply with the requests of erasing data. The data controller also needs to be able to demonstrate that they have lawful grounds to collect and process personal data. When processing personal data, the data controller needs to comply with the principles of article 5.
A few key elements of this new regulation are privacy by design and privacy by default. This means that an organization has the obligation to take data security issues into consideration when designing systems, services and practices if they are in any way linked to processing personal data (privacy by design). Organizations also need to ensure that they collect and process only the correct personal data (privacy by default).
Essentially, GDPR brings more transparency and security into the process of collecting and processing personal data. For example, previously the average Joe or Jane might have had to start rioting about violations against using their personal data. Now the data processors of personal data registers have to ensure and demonstrate that they comply with the data security regulation and maintain the security of personal data.
Make sure you know what your organization's role is in handling personal data: are you data controller, data processor or both? The role is key to what obligations and responsibilities you have.
6. Nominate a Data Protection Officer
A Data Protection Officer needs to be nominated in public sector organizations and companies with over 250 employees. This officer also needs to be nominated always when the core operations of a company include processing sensitive personal data or large personal data registers.
Offer training for the people in your staff that handle personal data so that they are up-to-date about the changes that the new regulation brings along.
What are the effects of GDPR on email marketing and marketing automation? Invite our digital marketing and communications experts over, and we'll tell you more about preparing for GDPR.
The article was originally published on the 2nd of November 2017.
The content should not be considered as legal advice.
Mari works as a Marketing Coordinator at Liana Technologies. She’s an experienced content marketer that loves to dive into the hot topics and learn new things. GDPR checklist is an important tool and currently being applied at Liana Technologies, that is among others getting ready for GDPR changes. Mari wrote this article in close cooperation with Liana Technologies’ Data Protection Officer and our experts that interact with customers on a daily basis.
Subscribe to our monthly newsletter to get the latest interesting articles in your own mailbox.
Email marketing still remains one of the most effective marketing measures. But why is it particularly important for hotels? Read our tips on how you can take advantage of it and build guest loyalty.Read More
Having a feeling that you want to spice up your newsletters but don’t have any idea on what to start with? Here are 13 outstanding email marketing examples to be inspired by.Read More
With the enforcement date of the EU General Data Protection Regulation (GDPR) approaching, the topic is on everyone's lips. We decided to write a series of blog posts to uncover the details of the regulation and to offer you our best advice to prepare.Read More
In the first article in our series, we presented the ways to improve online experience in eCommerce. Then, we continued the discussion with the tips on how to build a superior online experience in the IT industry. In the last article in this series, we compiled the list of 6 ways to improve online experience in tourism.Read More