The new General Data Protection Regulation (GDPR) will come into effect in the European Union on May 25, 2018. These regulations were agreed upon and adopted by the EU Parliament in April 2016, and will replace the existing Data Protection Directive. With the date quickly approaching, you may find yourself still unsure of what these new regulations mean and how to get prepared.
Frequently Asked Questions about GDPR
For this reason, we’ve rounded up a collection of frequently asked questions surrounding the topic and have provided detailed answers for each.
What is GDPR?
The GDPR is a new data protection law that will go into effect on May 25, 2018 in the European Union. These new regulations will replace the Data Protection Directive 95/46/EC from 1995 and will give greater protection and rights to individuals. The regulation creates a safer environment for consumers and their data by limiting the amount of data that may be collected, how it is used, and how long it can be stored.
How is GDPR different from the existing law?
The GDPR levels the playing field and forces all countries to comply in the same manner by regulating how personal data is used. Every country in the EU applies the Data Protection Directive differently, so the law varies across the EU making it hard to understand and enforce.
Do I need to worry about GDPR if I’m not in the European Union?
The short answer is, yes. If your business is communicating with consumers in the EU, or if you process or hold personal data of EU citizens (regardless of whether or not they reside in the EU), then GDPR will affect you.
What classifies “personal data”?
Any information that can directly or indirectly identify an individual is considered personal data. This data can range from a first name, email, photo, bank details, credit card information, posts from social media, medical history, an IP address, and more.
What repercussions will businesses face if they are not compliant with GDPR?
Organizations who do not adhere to the new regulations will be fined. Fines will be accrued in a tier method dependent on the level of the violation. The maximum fine an organization can be charged will be 4% of global yearly revenue or €20 million.
How is the amount of the fine determined?
The GDPR states that fines should be “effective, proportionate, and dissuasive,” but also should consider what the business has done in order to meet the GDPR requirements. In other words, if your business isn’t preparing for GDPR and suffers a significant data breach, then you’ll face a high fine. If you are preparing for GDPR and are close to achieving compliance, the fine will be proportionate. The decision about fines sits with the local supervisory authority.
What are the requirements to be GDPR-compliant?
To ensure you meet all the requirements of the new regulation, you must:
- Strengthen consent conditions.
- Notify contacts of a breach within 24 hours. Breach notification.
- Provide consumers with a copy of their personal data in an electronic format if they ask.
- Erase consumer data and longer use it if a customer makes this request.
- Allow consumers to transfer their data from your organization to another controller for processing.
- Build data into systems instead of as an add-on or afterthought.
- Appoint a Data Protection Officers if your organization meets certain criteria.
Will I need to appoint a Data Protection Officer?
If an organization is considered a public authority, is known for regularly monitoring individuals on a mass scale, or if they process special categories of data, like health records and information on criminal charges, the new regulations require companies to appoint a DPO.
What is valid consent?
GDPR requires valid consent from all new and existing contacts. If requested, you will be required to prove that you have consent to use personal data. Consider the following scenarios:
- Current customers (purchasers): Consent exists under an “existing customer relationship.” However, be mindful of how long the relationship could be considered valid and whether the communication content may be restricted to the existing relationship (e.g., under the German UWG Sec 7(3)).
- Lapsed customers: A company can no longer keep personal data without any consent, customer relationship, or ongoing email activity.
- Active email subscribers without provable consent: To continue sending communications, you would need to prove that your program provides a valuable service and constitutes these individuals as “existing customer relationships.”
- Inactive email subscribers: You should not store the data without any recent consent, customer relationship, or ongoing email activity.
- New and re-engaging customers / email subscribers: You should store the wording and act of consent for each customer (i.e., this individual checked this box at this date/time from IP address X and they consented to data processing in Y statement).
What are the 6 legal bases for processing personal data?
Under the new GDPR, organizations are required to only process personal data if one of the following legal bases are met:
- Consent: Individuals must give valid consent through clear and transparent language before organizations may process their data.
- Contract: Individuals are part of a contract that requires the organization to process data.
- Compliance with a legal obligation: It is necessary for the organization to process certain data under legal obligation.
- Vital interests: Processing data is necessary to protect the vital interests of the individual or another natural person.
- Public interest: Data processed in accordance with a task carried out in public interest.
- Legitimate interest: Processing personal data for further protection.
What is “legitimate interest?”
Legitimate interest is one of the 6 legal bases for processing personal data under the GDPR. It is stated that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest and some marketers believe that this statement gives them permission to send to individuals without making significant changes.”
However, you need to determine whether “legitimate interest” is the best basis for consent. Once you’ve done this, you’ll need to make sure that you:
- Explain how or why you need an individual’s personal data when you collect it.
- Use a layered privacy notice/policy.
- Inform individuals of what you plan to do with their data once you collect it.
- Give individuals the option to refuse marketing.
- Collect the minimum data necessary and delete records after use if requested by the individual.
You need to be able to prove that the above is adhered to for all data (existing + new) you may use under the umbrella of “legitimate interest.”
A marketing interest would not likely be a good basis for using “legitimate interest.” Instead, use consent as the basis where possible.
How can I prove consent?
Under GDPR, there are 6 legal bases of processing data lawfully as outlined above. If your data fits any of these methods, then you do not need to change anything.
Double opt-in is one legal basis of compliance with the requirement of consent being “verifiable,” and while not required by the GDPR, it is a relatively easy way to prove that an individual signed up for a service.
To implement double opt-in: After an individual has completed the consent form, you should send an email asking the individual to confirm the opt-in via a verification link. The act of clicking this link is confirmation of a valid subscription and will help demonstrate GDPR compliance.
Ensure that you store:
- Date/time of consent
- Method of consent
- A referential copy of the sign-up form, including its wording.
Remember that consent applies to all data collection practices, including offline methods including mail and telephone. You should consider how you capture and store consent for any offline method.
That depends. As previously mentioned, GDPR will require organizations to give greater transparency around consent. GDPR requires them to ensure that the individual is giving “informed consent” and that they understand who is using their data and why.
If an organization plans to use the data for more than one purpose, then they must make it clear and gain consent for each purpose. Processing should only happen for those purposes for which consumers consented.
Your privacy policies must be easy to understand and should explain who is collecting the data and the rights of the individual to control that data. You will also need to make it clear how long you will retain the data.
You should keep records of the privacy policies, consent information, and processing activity to prove that you are complying with the permission granted by the individual.
Can I still send marketing campaigns to my existing contact list?
After May 25, 2018, all data that you hold and process for any marketing campaigns must comply with GDPR. You need to check that you have consent from all of the contacts about all of the ways you plan to use their data. You must also prove that you have unambiguous permission to send communications to these contacts, and for any ambiguous or lapped contacts, you must obtain new and expressed permission.
Should I implement double opt-in?
Double opt-in is not a requirement for GDPR, but it is an easy way to collect proof of consent. Using this method allows marketers to validate that they have the right data (in this case an email address) and gives an additional step for contacts to consent (by clicking a button).
Note that generic messages or pre-checked boxes will no longer suffice as consent. You must provide clear and transparent language explicitly stating what data is being processed, why, and how long it will be used.
Double opt-ins allow you to confirm consent with your contacts, which is a great way to ensure you stay GDPR-compliant.
How can I re-engage my unengaged subscribers?
You don’t have long to get permission from unengaged subscribers, so consider running campaigns to grab their attention (maybe consider using lead magnets like incentives, offers, upgrades, etc.). If these subscribers feel that there’s value in the communication, they’ll give you their consent.
How can I check to see if I’m compliant?
Use this quick checklist to ensure you’re ready for GDPR:
- Assess your current data (what do you have, where do you store it, etc.).
- Conduct privacy impact assessments (if necessary).
- Decide on the lawful basis for processing each set of data.
- Decide if / how to refresh consent to comply with requirements.
- Update all online / offline data collection points for compliance.
- Update privacy policies and notifications.
► Learn more about how you can prepare for the GDPR by watching our on-demand webinar below.
DISCLAIMER – The materials appearing in this article do not constitute legal advice and are provided for general information purposes only.