Get ready for the General Data Protection Regulation (GDPR).
Those for whom Privacy & Data Protection is a formal responsibility will no doubt already have heard of the General Data Protection Regulation (GDPR). On the 25th of May 2018, the most important change in Data Privacy Regulation in 20 years will go in full effect. GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations approach data privacy. The regulation will apply to all organizations that sell products or offer services to EU citizens, both inside and outside the EU. Organizations in breach of GDPR can be fined up to €20 million or 4% of global annual turnover, whichever is the greater. The EU is not messing around on this new regulation!
The primary objective of the GDPR is to give citizens back control of their personal data. Without a doubt this regulation will impact every entity that holds or uses European personal data both inside and outside of Europe. The challenge is to work out what this will mean for every company. Below is a short overview of some of the key changes that come with the GDPR.
Consent more strict
The conditions for consent have been strengthened. Consent must be clear and distinguishable from other matters and it must be as easy to withdraw consent as it is to give it.
Right to be forgotten
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Right to Access
The right to obtain confirmation as to whether or not personal data is being processed, where and for what purpose. Further, the controller must be able to provide a copy of the personal data, free of charge, in an electronic format.
Privacy By Design
At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Companies can hold and process only the data absolutely necessary for the completion of its duties and must limit the access to personal data to those needing to act out the processing.
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Data Protection Officers
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
The right for a data subject to receive the personal data concerning them, which they have previously provided and have the right to transmit that data to another controller.
How to get GDPR Compliant?
Every company should get on the compliancy train before it leaves the station! It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organization. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. As in many cases, how to go about getting GDPR compliant differs for every company.
Want to know more about the GDPR and how can Salesforce Marketing Cloud play a role? Come and find the C-Clear Partners booth at Salesforce Essentials Belgium on the 1st of June to learn more about the GDPR and how we can assist you in compliancy. More info and registrationhere!