The European Union reached an agreement on the so-called “General Data Protection Regulation” (GDPR). Four small letters could have a huge effect on many businesses and organisations. The GDPR is coming, there is no getting around it. May 25, 2018. On that date, organisations worldwide will encounter new, uniform data protection requirements—or face hefty fines. Time is ticking, only 2 months and 5 days or 66 days in total left, are you prepared?
Data protection is a delicate and important topic that is taken very seriously. As a result, data protection and privacy requirements were built into the different bilateral treaties on the functioning of the EU. According to the EU, everyone has the right to the protection of their personal data. With the major privacy challenges of the new millennium, the EU had to develop a more effective set of mandates that improve the overall privacy of its citizens.
The GDPR will supersede the Data Protection Directive and will be applied to companies based in the EU. The same holds for companies outside the EU that process and store personal data of EU citizens. It means that companies with a significant European presence as well as companies that do business with other companies that have a presence in the EU will also be subject to the GDPR requirements. In short, GDPR also applies to organisations that host in the EU regardless of the end user or the user’s location. So this regulation is likely to cover most of the companies in the world.
Changes to Personal data and the traditional Direct Marketing?
Following the guidelines of the regulation, data should be:
- collected transparently;
- used only for its stated purpose;
- kept up to date and as accurate as possible;
- deleted upon the dissolution of the relationship.
An organisation must be able to validate all of these points.
The GDPR applies to automated personal data and to manual filing systems. Technology and policies protecting personal data will need to be built in business processes from the start, affecting mobile app design, device configuration and network access. Besides that, every time a business or company asks for personal information, they need to clarify why and for what purpose the data is being used. In short, instead of saying “no, I don’t want to receive your newsletter” you now have to say, “yes, you can use my information and send me business information or opportunities”.
Data protection officers
Organisations of all sizes need to appoint data protection officers (DPO). These DPOs act as a third-party contracting on behalf of the data controller. Data breaches need to be notified within 72 hours of the breach by the data processors. Therefore, services need to be updated so breaches can be identified quickly. If that’s not the case, enormous penalties up to 20m or higher will be charged, which has never been done before.
Acting now and putting in place the right tools & processes is essential to make GDPR manageable.