The General Data Protection Regulation (GDPR) is a major update to data privacy law. The new regulation, which takes effect on 25 May 2018, defines the responsibilities of any entity within the EU that processes personal data and any entity, regardless of geographic location, that processes personal data to provide a product or service in the EU . And it clearly defines the rights of data subjects whose personal data is processed by these entities.
The GDPR replaces the Data Protection Directive 95/46/EC, which went into effect in 1995. That was basically before the internet. Considering all the changes that have taken place since then with respect to the collection and use of personal data, the GDPR is long overdue and brings personal data protection into the 21st century.
Transparency is a core value of the GDPR. In short, no one has the right to store and process our personal data without our knowledge and consent, with the exception of clearly specified situations.
The GDPR places more accountability on businesses to protect the personal data they collect or process. To achieve compliance, “privacy-by-design” and “privacy-by-default” are two concepts that must govern the development of all new products, systems, and processes. Further, the GDPR requires that businesses not only comply, but can clearly demonstrate their compliance. Serious breaches of compliance can result in fines of up to €20 million or 4% of global annual turnover, whichever is more.
Data subject – Any identified or identifiable natural person.
Data controller – Any natural or legal person or other entity that determines the purposes and means of the processing of personal data. A company is a data controller with regards to personal data they hold about their employees, customers, suppliers, and others on their own behalf. A typical example is keeping and using personal data such as e-mail addresses for their marketing purposes.
Data processor – An entity that processes personal data on behalf of a data controller. A typical example is a marketing automation vendor that sends out marketing emails on behalf of another company.
In general, “personal data” means any information that can be used to identify a person. The GDPR expands on previous legal definitions to include identifiers such as:
The GDPR sets out stricter requirements for what constitutes consent when data subjects provide their personal data. A typical example is when a web site visitor opts in to an e-marketing campaign by supplying their email address.
The GDPR states that consent must be:
freely given – an employer requesting personal data from an employee would not meet this requirement, due to the relationship
specific – it must be clear that the data being collected will be used only for specific activities
informed – the data subject must have sufficient information about those activities to make an informed decision
unambiguous – “consent should be given by a clear affirmative act”; this is one of the most significant changes with the GDPR, as it means it’s no longer legal to gain a data subject’s consent by means such as offering a pre-ticked opt-in box
Data controllers have new compliance requirements, including:
When soliciting consent, data controllers must use clear and plain language to communicate with data subjects.
Consent must be verifiable. Businesses are required to maintain consent records that can be checked to verify:
that the data subject has consented
what they consented to
when they consented
The GDPR defines various rights that all EU citizens have as data subjects. We all have the right to know who holds and processes our personal data, and for what purposes. We also have the right to:
request a transcript of our personal data and receive it in a portable format
correct any errors
request that our data be permanently erased
restrict the kinds of data that can be stored and processed
restrict the ways our data can be processed
withdraw our consent at any time
be clearly informed of all these rights
In turn, data controllers are required to:
make it just as easy for data subjects to withdraw their consent as it is to give it
take all reasonable measures to verify the identity of data subjects making these requests
respond to and fulfil these requests without undue delay (within one month of receipt of the request)
erase personal data as soon as the purpose for which they collected it has expired (not dependent on requests from data subjects)
ensure that their contracts with data processors specify that GDPR-compliant security measures are in place to protect personal data
Digitising your processes always makes compliance easier. But even if you’re already 100% paperless, the GDPR will require a number of changes to your systems and processes. Scrive can make that easier.
As both a data controller and a data processor, Scrive is well on the way to full GDPR compliance, so we understand the challenges our customers are facing. As trusted partners in digital transformation, we provide elegant solutions that simplify your processes, lower costs, and enhance your brand. In fact, we put Scrive solutions and expertise to work in our own operations, and that applies to our GDPR compliance too!
Find out how Scrive can help you with your GDPR compliance.