With the New Year just starting, it’s already time to think about the changes that 2018 will bring. One of them concerns the General Data Protection Regulation (GDPR) , more commonly known by the acronym “GDPR“. On April 27, 2016, the European Union adopted a new regulation that applies directly to all its member states. Companies have until May 25, 2018 to comply , so it’s time to think about it seriously.
The GDPR, what is it?
The GDPR is the acronym for “General Data Protection Regulation”, ie the “General Data Protection Regulation”. Its purpose is to protect the individual and his or her personal data (ie “any information relating to an identified or identifiable natural person” [GDPR, chapter 1, article 4]) against the treatment of companies of these data.
GDPR, who is concerned?
- All EU companies that collect and process personal data are required to comply with this regulation regardless of where the processing takes place.
- Companies that are not directly responsible for the processing of data and who go through a subcontractor must ensure that it is well respected.
- The GDPR also applies to companies and subcontractors established outside the EU when processing concerns the supply of goods and / or services for EU residents and the monitoring of their behavior.
The main principles of the GDPR
The GDPR is based on different main principles:
- Lawfulness, loyalty, transparency.
- Limitation of the purposes of the treatment.
- Data minimization: companies can only request those required for the contract.
- Accuracy of the treatment.
- Limiting the retention of data.
- Integrity (do not tamper with the data voluntarily or involuntarily) and confidentiality.
GDPR, why a new regulation?
Nowadays, the Web is an integral part of our life: we buy online, we share on social networks, etc. Our personal data are therefore increasingly exposed and less and less protected . To mitigate this, the EU wanted to put in place a new regulation that will allow citizens to regain better control over their data . The aim is also to create a sense of trust between businesses and EU citizens , so that they are more confident about using digital tools.
GDPR, what’s changing?
In concrete terms, what are the major changes related to this new regulation ? They are sensitive to both the data subjects (ie, identified and identifiable individuals whose personal data is processed) and to businesses.
Rights of the people concerned
In order to better protect their data, data subjects have different rights that they can claim from companies: the right to information, access, opposition, not to be the subject of a decision based solely on an automated treatment, right to the limitation of the treatment … But the rights really interesting for the people concerned and who are likely to impact in particular the marketing sector are the following ones:
- Individuals now have a real right of erasure (also known as the “right to be forgotten”): if they wish, they can request that their data be no longer processed. Companies are obliged to comply and have 30 days to remove this data from their database.
- Obtaining the consent of the person concerned is mandatory. It must be clear and not be drowned in a mass of information to go unnoticed. This consent must also be given freely. It is therefore forbidden to force people to give their data to access a service. Finally, companies must be able to prove at any time that they have the consent of the person in case of control.
- The right to portability of data : if a data subject asks a company to provide his personal data or to transfer it to another company, he is obliged to make this transfer in a computerized, easily readable format.
GDPR for businesses
What are the responsibilities of companies?
- ” Privacy by default and by design “: companies must increase their level of security to ensure the protection of the data they own. Anyone who processes personal data must automatically guarantee the highest level of data protection right from the design of the technology to harvest them.
- Register of processing activities : which companies are concerned by the obligation to keep a record of their processing activities? Companies with 250 or more people, those who regularly process personal data, those who process sensitive data (data on racial or ethnic origin) and those who carry out treatments that may pose a risk to rights and freedoms concerned persons. For others, it is also advisable to hold one to protect oneself in case of control of the competent authorities, but there is no obligation. You must document there:
- The purpose of the treatment (eg direct marketing, customer management, etc.)
- Its basis (eg legal obligation, consent of the person concerned, etc.)
- The type of data collected (eg identification, leisure / interest / affiliation, education / training / job data, etc.)
- Categories of personal data (CPD) (eg genetic data, health data, etc.)
- The categories of recipients of CPDs, ie the persons to whom the data were or will be communicated
- Transfers of CPD to a third country or to an international organization
- Deadlines for deleting different categories of data
- Risks and mitigation measures: this is a list of the risks incurred by the person concerned and the processes put in place to overcome these problems.
- AIPD : Companies must conduct an Impact Analysis on Data Protection when they want to launch a new product on the market.
- In case of violation of the CPD (for example, if the database is hacked), the organizations have the obligation to inform the persons concerned of the situation .
- They must also review all their contractual processes .
- Finally, it is strongly recommended that they appoint a DPO (Data Protection Officer) who will be in charge, in particular, of the establishment of the GDPR and its follow-up. It will also ensure that the business is compliant. This DPO may be internal or external to the organization as long as it is independent in the performance of its duties.
GDPR and sanctions
In case of non-compliance with the Regulation, the supervisory authorities may put in place corrective measures . These range from a simple warning to the prohibition of using one’s database for a certain period of time, to administrative fines . These can be up to € 20,000 or, for global companies, up to 4% of their annual turnover.
But do not panic. Although companies are being asked to comply as quickly as possible, it is clear that no company will be 100% compliant by May 25, 2018 (and this is Willem Debeuckelaere, the chairman of the commission private, who says so). Nevertheless, it is high time to learn and do its best to be in good time.