The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018.1 Although the key elements of this new framework reflect the Directive it replaces,2 significant changes will deeply impact the way manyorganisations gather, process, and store information about individuals. At its core, the driving aim of GDPR is to promulgate individual’s right to control their data. The regulators have taken a solid stance on ensuring data privacy and set eye-watering fines for non-compliance (maximum penalties are the greater of 4% of total global annual turnover or €20m).
The GDPR applies to you
GDPR has global reach. If your business handles personal information about European residents, whether it’s their cookies or sexual orientation, then you’re within scope – regardless of your location.
Let’s Take A Deeper Dive
GDPR and extra-territorial scope
As stated in article 3, although GDPR applies mainly to businesses established within the EU, it also applies to controllers and processors whose activities within the EU relate to: offering goods or services to individuals (regardless of whether they are free or not) or monitoring individuals’ behaviour (such as using Apps to track an individual’s location).
Specific protections for children
As stated in article 3, although GDPR applies mainly to businesses established within the EU, it also applies to controllers and processors whose activities within the EU relate to: offering goods or services to individuals (regardless of whether they are free or not) or monitoring individuals’ behaviour (such as using Apps to track an individual’s location).
A paradox for privacy notices
As stated in article 3, although GDPR applies mainly to businesses established within the EU, it also applies to controllers and processors whose activities within the EU relate to: offering goods or services to individuals (regardless of whether they are free or not) or monitoring individuals’ behaviour (such as using Apps to track an individual’s location).
Increased individual rights: to portability
As well as the existing right to access their personal data, article 17-18 now extends this right to enable individuals to ask for personal data to be transferred directly from one controller to another (without being subject to a fee), and can also ask to receive personal data in a machine-readable format.
Consent and the right to erasure
As well as the existing right to access their personal data, article 17-18 now extends this right to enable individuals to ask for personal data to be transferred directly from one controller to another (without being subject to a fee), and can also ask to receive personal data in a machine-readable format.
The right to object to direct marketing
Article 21 confers upon individuals the right to object to direct marketing. When this occurs, not only must collectors and processors stop sending material directly, but they must also cease use of that personal data for marketing purposes, such as profiling.
When must Data Breaches be notified
Article 21 confers upon individuals the right to object to direct marketing. When this occurs, not only must collectors and processors stop sending material directly, but they must also cease use of that personal data for marketing purposes, such as profiling.
Obligation to appoint a Data Protection Officer
All companies that process data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must appoint a data protection officer (arts. 35-37). Verify your recruitment process to verify what information is collected on employees.
What does this mean for you?
GDPR requires organisations to implement the technical measures necessary to ensure compliance. If possible,organisations should adopt a privacy-by-design approach. Article 23, for instance, calls for controllers to hold and process only the data necessary for the completion of their duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
The challenges for GDPR compliancy will be reviewing the processes relating to data security. Client Relationship Management (CRM) systems that cater to the changing regulatory landscape will be instrumental in facilitating this shift. The world’s leading CRM provider, Salesforce, has worked closely with European lawmakers and other key groups throughout the development of the GDPR, and has taken several steps to help ensure that users can continue to use the platform while complying with GDPR. For example, Salesforce offers customers a data processing addendum that contains data transfer frameworks allowing lawful transfer of personal data to Salesforce outside the European Union, through reliance on binding corporate rules, the EU-US Privacy Shield certification, or standard contractual clause. The latter were drafted and approved by the European Commission and contain detailed obligations relating to personal data protection.
How we can help you
Companies must take steps to ensure that both themselves, and their Processors (service providers or consulting firms in charge of processing personal data), understand and comply with the Regulation, to avoid the significant exposure to liabilities.
We can help you address the issues that your business and IT organizations face.
The first hurdle to overcome is identifying what data you have, where you keep it, and who you share it with. The second step is to identify what data is person identifiable, whether that is user-generated (for example website behaviour) or otherwise (for example through a third party as part of a survey).
While the GDPR does not specifically require encryption, it is encouraged as an effective way to help ensure that personal data remains secure and confidential, particularly for sensitive personal data. We can advise you on suitable ways to encrypt your data.
We can also help you with application-to-storage mapping, data erasure and security or data access. Please use the form below to contact us for more information.
About the Author
After completing his training in M&A at Skadden Arps, Anastasios Papadopoulos founded Integrated Management Systems (IMS) in 2016 and played a key strategic role in positioning the company as one of the leading Digital Transformation Agencies in Hong Kong.
He brings with him his experience in M&A and Tech, and also founded IMS Digital Ventures: the innovation, incubation, and investment arm of IMS and Hong Kong’s first corporate venturing firm that launches and invests in disruptive businesses with Asia’s largest corporations.
Anastasios Papadopoulos read Law in France and in the UK and holds a Management degree from HEC Paris.
Connect with Anastasios Papadopoulos on LinkedIn.
Browse more articles by Anastasios Papadopoulos.