The Insider's Guide to GDPR
Are you ready for May, 25?
Say hello to the new regulation brought by the European Parliament, GDPR, which refers to the protection of personal data EU citizens. This regulation needs to be run by all companies in EU, but also through all companies that gather the data of EU citizens.
Otherwise, there will be serious consequences.
If you are a part of the business world, whether from marketing, legal, political or some side only you know about, trend tracking and changes that are happening within, are not a stranger to you, and you are aware of the famous saying:
„The Only Constant in Life is Change. “
It is one of those jobs that you live, which can't go on without your constant engagement, study, search, understanding, dedication… but who am I to explain you the scope and need of your business? You understand it best.
What is GDPR?
These days, the thing which occupies our attention definitely is GDPR. The last part, PR, reminds me of public relations, and although it doesn't mean that, I have to admit that it is not far from it. GDPR or General data protection regulation is, as the majority already knows, the regulation of European Parliament brought in April 2016, which deals with the protection of personal data of all European Union residents.
Only a month sets us apart from the enforcement of this regulative. So by May, 25. all you were asked about the protection of your personal data, whether your colleagues or your associates, has to be in harmony with the need of the regulative, available, sorted and ready for managing this data, depending on the wishes of the data owner. As you can see, since April 2016 to May 2018 are full two years and every business owner has had more than enough time to prepare for the upcoming changes. So among others, it is one of the understandable reasons why we know that the postponement of this regulative won’t happen, and the listed date is unchangeable.
So unfortunately for us who are gathering and using personal data of EU citizens, whether, for employment, marketing or any other purpose, changes are visible, lack of understanding for any lapses, and the thing which gathered a lot of our attention is that the fines are shockingly huge.
Maybe, from the employer’s perspective you would say that the fines are draconic, but put yourself in the natural person shoes who is daily a target for data abuse, solely for making a buy. Imagine that you run out of all your funds and your identity, would you still find this fines draconic or suitable for those who you trust all your data to find out that they haven't watched over those data?
I think that one company which can afford 10 million or largest of 20milion fine either way won't allow this to happen so it will definitively use services of some business companies which see a great profit in these processes. But, what about the little ones? Who will help us?
As the elders often say, who will help you beside yourself? Here we are talking about many blogs that help us understand, in the simplest way possible, what is changing and what is required from us, different webinars and eventually, a lot of marketing and IT companies that see in every change and new regulative the possibility to profit. Who could blame them for innovations and expertise? Not me, because we can never have enough of such people.
Let’s go over some of the main terms related to GDPR.
1. Regulation vs. directive
A directive is a legal act voted by European Commission that sets out a goal that members of European countries need to achieve, and it is up to the government of each EU member to decide how. Meaning, each member has different legal rules for data protection. Such directive for protection of private data brought in 1995, but with the growth of gathered data, will not be enough. Researchers predict that by 2020 the number of gathered data will reach 40 Zettabytes.
These changes are set in the form of a regulative which is a binding legislative act, and which is applied in the adopted scale by the countries members of EU.
In other words, the directive is a guideline in creating a legal framework, while the regulative is more firm and non-changeable legislative act which needs to be carried out through all countries of EU. And on May 25, we are welcoming the regulative.
2. Controllers vs. Processor
When talking about a data controller we are talking about any physical or natural person, agency or authority that, in cooperation with other, decides about intentions and funds of data processing. The controller is a party that owns others’ data, and because of it, GDPR is treating it as the main responsible when gathering consents. They are the ones who people contact if they want to change, see or delete their personal data which the controller owns.
Further on, the regulative binds the data processor also, physical or legal persons, agencies or authorities that process personal data to the controller.
Namely, this looks like this; if a company makes a database with its buyers, and besides the name and last name, takes also the email address which the email marketing tool, such as MailChimp, then processes and stores, so they could easily send email campaigns in the future, and in such case, the company is a data controller and MailChimp a data processor.
3. Privacy by design
One of the terms that you need to take into consideration to make the adjustment to GDPR easier for you definitively is the design. It requires us is to make the consents for gathering and processing data clear, written in a simple language, and enable a clarification for the purpose of which the data is gathered. The main thing that Privacy by design refers to, is opt-in forms in which examinee simply and clearly gives permission for using their data. Be sure in the accuracy of the data you keep and especially keep the material in which subscribers give their consent for you to send them marketing material in which subscribers give you their trust to keep and use their data in any process that you take. After that, the examinee needs to be allowed to get their data in structured, readable, usable and who can on their request be deleted, changed or forwarded to another data processor.
As we have already pointed out, every gathering of data requires a clear consent of a data owner. Consents for data usage need to be clear, simple and there has to be a clear selection that mustn’t be conditioned. The examinee has to have the possibility of refusing or withdrawing the consent without any consequences. Adolescents above sixteen can give the consents on their own while younger children need to ask parent approval for giving consent.
Also, maybe the most important to mention is that each consent has to be prepared, whether in a written document or oral taped consent. But obviously, they need to give their consent for recording them in the first place.
To avoid any confusion, the „personal data“ term comprehends wide spectra of data to which you need to look after, a these are:
- Last name
- Email address
- IP and MAC address
- GPS location
- RFID tags
- Cookies on a website
- Telephone number
- Tax identification number
- Biometrical data (fingerprint, fist and face geometry, iris looks)
- Genetically data
- Education data
- Data about the payment, credit possibility, bank accounts
- Health data
- Sexual orientation
- and all other data that imply to an individual whose identity is familiar
Some advice for GDPR readiness
- create a team who will deal with questions of privacy and data protection to track the activity and raise the awareness of GDPR
- go over current processes od data gathering and add the protection safety for GDPR where it is possible to check the contracts with third parties to meet the requests of GDPR
- set the exact personal data that you need for business, whether it is named, last name, email address, home address, telephone number or anything else, and analyze the processing, use, and saving of those data
To sum things up, all opt-ins that we see lately, where we allow the usage of all possible data, whether we are aware of them or not, just to be able to use some application, and this is usually Facebook or Instagram, brought to us to the scenario where our personal data is handed on a plate to other people and are becoming a target for misuse. To prevent excessive data gathering, data which should be personal and sacred to every person, we are welcoming the famous GDPR.
Of course, the Facebook team with Zuckerberg on the top didn't have any idea that it would bring to such rigorous checks (or they didn’t care). Their main focus was to collect as much data as possible so they could manipulate it and animate you to keep you as long as possible on their pages. Still, they are the ones whom we should “thank” for such outcome.
The thing that makes us happy as individuals is the protection of our personal data and decrease of gathering and approaching to our data, while as companies we are upset because we are obligated to collect data because the basic business requires us to gather data solely for basic business, and the listed regulative only makes things more complicated and dangerous.
I can only say, you never know what the future brings, take care of the data you own and good luck!