IMPORTANT DISCLAIMER: The information provided in this article and in other communications from MemberConnection pertaining to GDPR compliance is not legal advice. All decisions made regarding GDPR compliance should be made under the advisement of your attorney.
We’ve all been hearing a lot about GDPR, changes in the EU, and new data privacy rules. But what exactly are they, and how will these changes impact your organization?
What is the GDPR?
GDPR stands for General Data Protection Regulation, and it’s binding legislation that will regulate consumer privacy in the European Union. But it’s not just EU companies who are on the hook; all organizations who interact with EU citizens must also follow the GDPR laws. The legislation comes into effect on Friday, May 25, 2018, and some hefty fines may occur for the organizations that aren’t GDPR compliant by the deadline.
Does this apply to me?
The GDPR applies to all organizations located inside of the EU. However, the span of the GDPR is vast, and it’s not solely dependent on location. It also applies to companies outside of the European Union who:
- Offer services to EU residents.
- Process or possess the data of EU residents.
- Use the personal data of EU residents for targeted marketing or research.
Let’s say that an organization is in the United States, but they have clients in the EU, and they have personal data stored on each of their clients. In this instance, the GDPR absolutely applies. GDPR legislation is not restricted by European Union borders.
What counts as personal data?
The new law’s primary focus is on protecting the data of individuals in the European Union. To comprehend GDPR rules, we first must understand the kind of data that the GDPR, and the European Parliament by extension, is going to regulate. So, what exactly is “personal data” according to the GDPR?
Below are a few items that constitute “personal data” under the new GDPR regulation, but this list is not exhaustive.
- Name, Photo, Home Address, and Email Address
- Racial or Ethnic Data
- Medical Information
- Social Media Posts
- User ID, Location Data, IP Address, and Cookie Data
- Political Opinions
- Sexual Orientation
What are the rules for organizations?
Key components of the GDPR include:
- Organizations must keep the personal data of individuals secure, accurate, and up to date.
- Organizations must be transparent with consumers about the extent of the data that they possess, and how they intend to use it.
- Organizations must obtain consent from individuals to store or use his/her data.
- Organizations must be able to prove that consent was given for the data.
- Organizations must notify individuals if a data breach occurs and their data is taken.
What kind of changes need to be made?
Many organizations must make significant changes to their data handling processes. The kind of changes that must be made depend on if you are a data processor or a data controller. In some cases, an organization will qualify as both a data processor and a data controller. It’s important to know if you are a data processor, a data controller, or both, to understand which specific regulations apply to you.
A data controller is an individual or an organization who possesses and uses the personal data of consumers, and they determine why that personal data is used. The data controller is primarily responsible for complying with all GDPR regulations, and for keeping data safe.
A data processor is an entity who processes data on behalf of the data controller; for example, Google Analytics could serve as a data processor on behalf of another organization.
In either case, if you’re a large enough organization, you may be required to appoint a Data Protection Officer, who will assist your organization with GDPR compliance regulations. They’ll also advise your staff members on GDPR law, and they’ll teach you the complexities behind GDPR policies.
What happens to individuals?
Although organizations must adhere to many new rules, individuals in the EU gain a new set of data privacy privileges. Some of the highlights include:
- Individuals have the right to know what information, if any, organizations are storing about them.
- If an individual wants to see the personal data that an organization is storing about them, then the organization must disclose said data to the individual within thirty days.
- Individuals may withdraw their data consent at any time.
- Individuals have “the right to be forgotten,” which means that they can ask an organization to erase all of its information about them.
Becoming GDPR compliant is a process that may take a significant amount of time and resources depending on your organization. Work with your Data Protection Officer and your attorney to ensure that your organization is GDPR complaint by Friday, May 25, 2018.
- Data Controller: An individual or an organization who decides what to do with the personal data that they possess.
- Data Processor: An entity who processes data on behalf of a data controller.
- Data Protection Officer: An individual who advises data controllers, data processors, and staff members on GDPR regulations.
- Data Subject: The individual(s) who are protected by the GDPR.
- GDPR: The GDPR (General Data Protection Regulation) is a new set of regulations from the European Union, which will come into effect on Friday, May 25, 2018. These laws focus on data privacy for individuals in the EU.
- Personal Data: The GDPR defines personal data as: name, photo, home address, email address, racial or ethnic data, medical information, social media posts, user ID, location data, IP address, cookie data, political opinions, sexual orientation, and more.