Reshaping How Data Is Handled
According to EUGDPR.org the GDPR is the most important change in data privacy regulation in two decades and will fundamentally reshape how data is handled across every sector. The legislation is designed to harmonize data privacy laws across Europe, protect and empower the data privacy of EU citizens and reshape the way organizations approach data privacy.
The GDPR replaces previous data protection laws that were deemed insufficient for protecting the sensitive personal information of EU citizens. The biggest change is the extraterritorial applicability and extended jurisdiction of the regulations. Territorial applicability was previously ambiguous, referring to data processes “in context of an establishment.”
As EUGDPR.org puts it, “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Another important change is related to the conditions under which customers may provide consent to collect, store and use their data. Businesses can no longer use complex language and legalese when describing these conditions — conditions must be presented in an intelligible and easily understandable form that uses clear and plain language. Also, consent to collect, store and use customer data must be distinguishable from other matters.
Note that explicit consent or “opt-in” is only required when sensitive personal data is involved. For non-sensitive data, unambiguous consent is sufficient.
Eye-Opening Data Security Stats
According to data compiled by Caunce O’Hara, a commercial insurance broker located in the United Kingdom, 57 percent of those who shop online in the UK say don’t feel safe sharing their personal information online. Another 43 percent don’t want their personal information to be accessible to businesses. And more than half of fraud incidences in the UK were cyber-related.
The GDPR requires companies that do business with customers residing in the EU to:
- Provide customers with access to any data they have collected.
- Allow customers to give any of this data to another business.
- Receive consent from these customers before using their data for any purpose.
- Inform customers if there is ever a security breach that affects their data.
- Give customers the right to erase any personal data they possess.
- Give customers the right to opt out of research and marketing.
- Appoint a representative in the EU.
- Make legal arrangements when moving data to countries outside of the EU or that haven’t been approved by EU authorities.
- Protect the interests of their customers, especially if the data they possess relates to health, religion, race, political alignment or sexual orientation.
The penalties for non-compliance with the provisions of GDPR can be severe. U.S. businesses can be fined up to 4 percent of annual global turnover or €20 Million, whichever is greater, for the most serious data security infringements, such as not having sufficient customer consent to process their data. The rules apply to both controllers and processors of data, so “clouds” aren’t exempt.
The Rights of Data Subjects
Under the GDPR, any of your customers who reside in the EU now have certain rights when it comes to the collection, storage and usage of their data. These include the following:
• Breach notification — These notifications are now mandatory within 72 hours of your business first becoming aware of a data breach if the breach is likely to result in a risk of the rights and freedoms of your customers.
• Right to access — Customers may obtain confirmation from your business concerning whether or not their personal information is being processed, where it’s being processed and for what purpose. They may also obtain a free copy of their personal data in an electronic format.
• Right to “data erasure” — Customers may require your business to erase their personal data and cease further dissemination of the data, as well as have third parties stop processing their data.
• Data portability — Customers may require you to send them any of their personal data that you possess in a commonly used and machine-readable format that can be sent to another business.
In addition, EU customers have the right to what’s known as “privacy by design.” This is a requirement that businesses consider data protection from the outset when designing their systems, rather than simply adding layers of data protection after the fact. Also, businesses should hold and process only the personal data that’s absolutely necessary for the completion of their duties, and access to data among employees should be restricted on a need-to-use basis.
Review Your Customer Databases
Given the critical role that customer data plays in digital and direct marketing, it’s recommended that any business that has customers located in the EU review their marketing databases to make sure they can identify lawfully granted customer consent for use of their data. More specifically, you should be able to demonstrate how customers have consented to the collection, storage and use of their data.
Even though the GDPR has been in effect for over a year, many businesses in the U.S. are unaware of how they might be subject to its provisions. So now would be a good time to review your customer database in search of any EU customers who might trigger GDPR liability for your business. And as with any legal requirement like GDPR, consult with your legal representative about applicability and the actions your business should take, if any, in order to be compliant.
|Back to Top