Be updated, subscribe to the OpenKM news

The definitive GDPR Guide for business

Written by Nabeena Malik on 27 february 2018

"This is an extract of the extensive article "The Ultimate GDPR Guide for Marketers and Businesses" published by Nabeena Mali in AppInstitute on 13 december 2017. We thank you Nabeena Malik for her kindly collaboration and her interest in sharing with our subscribers her deep knowledge about the european directive."

The General Data Protection Regulation was first proposed in 2012, and what followed was four years of discussions, debates, and amendments, with the regulation finally adopted by the European Parliament in 2016. Countries, companies, and organisations were given two years to comply, with the regulation being enforced from May 25, 2018. What originally seemed like a reasonable amount of time to prepare has passed quickly, and at the time of this writing, enforcement of the GDPR is barely 3-months away.

Much has already been written and discussed in the public domain regarding the GDPR, but still, many business owners are a little unsure of what the GDPR entails, and whether or not they are affected. With this GDPR guide, I hope to add some clarity, explaining what the General Data Protection Regulation is, which businesses it affects – and how – along with answers to some common questions frequently asked about the GDPR, and some steps you can take to move your business towards compliance.

In Plain English: Everything You Need to Know About the GDPR

We’ve seen how technology is disrupting industries both old and new: Uber and Lyft are disrupting transport, Netflix is disrupting how movies and TV shows are produced and consumed, and AI is threatening to disrupt every single industry in ways we never before thought possible. But technology also disrupts the laws and regulations implemented by countries, with the GDPR designed to replace a modern directive that itself was no longer sufficient: Directive 95/46/EC (a data protection directive).

The General Data Protection Regulation is, obviously, centred around data protection, but it doesn’t regulate all data protection. Instead, it is focused on the personal data of individuals, specifically individuals residing in any EU member state. It updates existing – and introduces new – regulations relating to the collection and processing of the personal data of any individual residing in any EU member state. And it doesn’t only apply to businesses and organisations with a physical presence in any EU member state. Businesses and organisations throughout the world will need to be compliant with the GDPR if they collect and process the personal data of any individuals residing in the EU.

The purpose of the regulations is not to make it more difficult for businesses to sell, market, or perform any of their normal business functions. Instead, it is designed to give individuals greater control over who collects and processes their personal data, what it is used for, and how it is kept safe.

It does this by first differentiating between personal data and sensitive personaldata, with personal data being any information which makes it possible to identify an individual – either directly, or indirectly. It includes data such as names, identification numbers, location data, and online identifiers. Sensitive personal data also makes it possible to identify an individual, but through an expanded scope of specific factors, including elements of their physical appearance, physiology, genetics, mental health, economic, cultural, or social identity. The collection and processing of sensitive personal data is not allowed, except under very specific circumstances, with additional requirements in terms of data safety.

Next, the GDPR refines the principle of consent, requiring:

• The explicit consent of individuals.
• The elimination of blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions.
• The ability for individuals to easily withdraw consent.

There are provisions within the GDPR for times when consent is not necessary, but these all relate to very specific lawful bases for collecting and processing personal data.

The GDPR then clarifies the rights of individuals in terms of their personal data, broken down as follows:

• The right to be informed, typically covered by your privacy notice. Detailed information regarding who is collecting and processing the personal data, along with how it will be used, must be freely available, and written in clear, plain language.
• The right of access. Individuals can request confirmation from you that their data is being processed. They can also request a copy of all their information that you hold, along with any supplementary information. It should be provided free of charge, and within one month of the request being made.
• The right to rectification. Individuals can request you to correct any incomplete or inaccurate information that you hold, with you then being responsible for passing the corrected information onto any third-parties you previously shared the data with.
• The right to erase. This is not an absolute right to be forgotten, but rather a provision for individuals to request the deletion of their data by you when there is no longer a legitimate reason for you to continue processing it, or they withdraw their consent.
• The right to restrict processing. Under certain circumstances, individuals can request that the further processing of their data be restricted. This is different to the right to erase in that you are still permitted to store some personal data, just not process it further.
• The right to data portability allows individuals to obtain their data from you, and reuse it for their own purposes across other services. However, this only applies in circumstances where the individual provided a controller with their personal data, typically during the performance of a contract application.
• The right to object. Unless you have compelling legitimate reasons to process an individual’s data, they retain the right to object to processing for a number of reasons.
• Rights in relation to automated decision making and profiling. The GDPR requires that safeguards be put in place for any automated processing and decision making, to minimise the risk of any damaging or adverse decisions being made without the possibility of human intervention, or the ability to seek an explanation.

The GDPR goes into great detail in relation to accountability and governance within businesses and organisations. This addresses matters such as:

• The implementation of measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
• Maintaining relevant documentation of all processing activities.
• Identifying whether your organisation is a data processor, a data controller, or both. You need to understand the purpose and requirements of these distinct roles in terms of the GDPR, and where appropriate, you may need to appoint a data protection officer.
• The implementation of measures that satisfy the principles of data protection by design, and data protection by default. This could include:
  • data minimisation
  •  pseudonymisation or anonymisation of data
  • the ability for individuals to monitor the processing of their data
  • ongoing improvement of security features

Finally, the GDPR introduces new requirements for how personal data is processed to ensure security, along with requirements for how businesses and organisations need to respond to data breaches.

It is important to remember that the GDPR does not affect all businesses and organisations, only those who collect and/or process personal data, either of their clients, or on behalf of another organisation. If you don’t collect or process any personal data of individuals, you have nothing to worry about. And if you do, the primary matter you should be concerned about, is ensuring that you are fully compliant with the requirements of the GDPR. The GDPR should in no way prevent your business from continuing to operate, though it may force you to change some of your processes, making it more difficult to perform some tasks, but never making it impossible to operate.

The heavy fines possible under the GDPR are not meant to harm businesses, but rather to serve as a deterrent against relevant businesses and organisations from ignoring the regulations, and putting the personal data of individuals at risk.

But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organisations, and individuals, and whether or not this will change over time.

Big Questions About the General Data Protection Regulation

Will the GDPR affect me?

The short answer is, yes. As an individual, the GDPR prescribes when and how organisations and companies can process or control any personally identifiable data relating to you. And if you are part of an organisation or business that processes or controls personal data of any EU individual, the GDPR prescribes when you may do this, and how you should do this. That means that the GDPR doesn’t only apply to businesses and organisations with a physical presence in any EU member state, but also those that offer goods or services to citizens of any EU member state, even if they have no physical presence in the EU.

Will the GDPR affect cold calling?

The General Data Protection Regulation (GDPR) will most definitely affect all forms of cold calling, including cold email marketing. The GDPR sets a high standard for consent, placing an emphasis on leaving the individual (the prospect/customer) in control, and building trust and engagement.

Proper consent under the GDPR means the following:

• Consent must be explicit, and via a positive opt-in. This means you can no longer use consent by default, consent as a condition of sale or service, or even pre-ticked consent boxes on forms.
• Consent cannot be vague. The individual must give a specific statement of consent, while knowing what they are consenting to, and who they are giving consent to. If any third-party controllers will also be relying on the individual’s consent, they must be named.
• Consent should be separate from any other terms and conditions.
• Evidence of consent must be recorded and retained. This includes records of who, when, how, and what.
• It must be easy for individuals to withdraw consent, and they must be informed of how they can withdraw consent.

You should regularly review your records of consent, making sure nothing has changed in terms of the relationship, the processing of the data, or the purpose of the consent. Refresh as necessary.

Will the GDPR affect B2B?

The GDPR specifically applies to individuals, so in the context of B2B relationships – existing and new – the impact of GDPR will depend on the contact information you use to communicate with your B2B clients. Whenever your contact information includes personal data, you would need to follow the regulations relating to explicit – and recorded – consent to opt-in. This would extend to also include regulations regarding data protection.

If, however, your records only include generic contact information (a contact number or email address with no name attached) you don’t necessarily have to record explicit consent, but you must make it easy for the company or organisation to opt-out, and keep a record of this.

"This is an extract of the extensive article "The Ultimate GDPR Guide for Marketers and Businesses" published by Nabeena Malik in AppInstitute on 13 december 2017. We thank you Nabeena Malik for his kindly collaboration and his interest in sharing with our subscribers his deep knowledge about the european directive."