2018, Year Zero for GDPR
In 2018, important changes will be made to the regulatory landscape for the protection of personal data in Europe. The General Data Protection Regulation (GDPR), which substantially alters the applicable rules, will take effect on 25 May 2018.
Even if this legislative text is not strictly speaking revolutionary, the changes it implements are quite significant. Firstly, instead of a European directive, which each Member State must enact in its national legislation, the European Parliament has instead established a regulation, which, in principle, is identical throughout the European Union.
Secondly, the regulation also specifies how certain fundamental principles must be implemented, such as transparent data processing. And finally, because the regulation also imposes rather heavy fines on offenders.
Stricter obligations for data controllers
Data controllers and their subcontractors must comply with increasingly strict obligations. In everything they do, they must always endeavor to take the issue of data security into account, limiting the collected data to a minimum. In addition, they must also take every possible technical and organizational measure, ensuring it is adapted to the nature and risks associated with the processed data.
Organizations that typically process large amounts of data (such as polling organizations) will be required to appoint a data protection officer (DPO). Finally, data controllers must also communicate any security breaches to the authorities, to their customers and to the people whose data they process.
Data transfers to countries with different levels of protection must be strictly limited to specific cases. Last year, for example, the European Court of Justice declared the Safe Harbor framework invalid, causing quite a shockwave. Things will probably be no different for Safe Harbor’s replacement, namely the Privacy Shield agreement, that will exist alongside the regulation.
The sanctions outlined in the regulation are particularly impressive as fines can amount to up to EUR 20 million or 4% of the company’s annual global turnover. The accountability of subcontractors has also increased.
Emphasis on transparency
The regulation ignores the purely formal measures that had been enacted under the previous directive (i.e. the requirement to declare any processing operations), choosing instead to focus on the increased transparency of data processing operations. As such, the regulation stipulates which information must be provided to people whose data is processed. The information must be complete and must be communicated in an “intelligible” form, in clear and simple language. The requirement of informed consent makes it impossible, for example, to collect data from children under the age of thirteen.
The rights of the individual whose data is collected have been extended and simplified, giving them the option to oppose data processing under certain circumstances (for example for direct marketing purposes). A person may request any data that concern him or her and which were collected by a data controller in a commonly used format so they can be transmitted to another data controller (“data portability”). Finally, people now also have the right to oppose profiling, for example, based on their personal data.
It is not too late to do the right thing
It is not yet too late to implement the obligations arising from the GDPR. Nor must we lapse into blissful optimism, however. Chances are the authorities responsible for the implementation of the new regulation will do everything in their power to increase controls as soon as it takes effect.
Which steps must a company undertake to comply with the regulation?
Firstly, the company’s management must be aware of the overriding importance of personal data protection. The executive management and even the Board of Directors must take charge of this matter. They must, in certain instances, provided for under the regulation, appoint a Data Protection Officer who must ensure that the measures required for the implementation of the legal measures are effectively taken.
More specifically, the Data Protection Officer must ensure that all employees receive data protection training. They are the company’s most essential link on this level. There is no point in putting in place the most advanced protection technology if employees continue to carry around personal non-encrypted data on USB sticks. Otherwise data protection will never get out of the starting blocks.
What about Martech Providers in all this?
Many European Martech provider have chosen not to wait for the adoption of the GDPR to ensure that personal data is protected. Following the principles of the European Directive on Data Protection, they have adopted a set of practices aimed at ensuring data security and transparency.
On the other hand, a majority of the US providers fail to comply with the requirements of the Regulation, namely due to the fact that they host consumer data on the American soil. In principle, European marketers should avoid to uses these services in order to maintain compliance with EU regulation.
The Privacy Shield Mechanism, however, provides a mechanism of authorization for companies who self-certify themselves on various aspects of data security. The American Federal Trade Commission, charged with the enforcement of the Provisions of the Privacy shield has recently alleged that several companies made false claims about Privacy Shield participation.
This case reminds us that European marketers have a responsibility to ascertain that their providers respect the principles included in the regulation before to send them their data.
An opportunity for European companies
Despite the very stringent nature of the GDPR’s provisions, which may contribute to a negative image of personal data protection, we, on the contrary, think that the existence of such a unified framework is a real opportunity for European companies. It allows them to distinguish themselves from their global competitors by voicing their constant concern for the protection of the interests of both consumers and citizens.