In just under six months, the EU’s General Data Protection Regulation (GDPR) will come into force.
On May 25th, 2018, the GDPR will replace the EU Data Protection Directive (1995) and the UK Data Protection Act (1998). The regulation affects all EU companies that process or store personal information and companies not in the EU that process or store personal information for EU residents. Differing from the prior regulations, the GDPR focuses on the privacy and rights of the individual. Consumers and data subjects should have the right to know what data is held about them, as well as how it’s being stored and secured.
One Set of Rules for All the EU
The GDPR creates one set of rules for all EU member countries. While the prior directives could be interpreted and implemented differently by each country in the EU, the new regulation provides one uniform regulation implemented across the entire EU by one supervisory authority.
Personal Data Is Redefined and Expanded.
The Data Protection Directive defined personal data as a person’s name, photo, email address, phone number, address, and personal identification numbers (SSN, credit card numbers, bank account numbers, etc.). The GDPR expands personal data to include such things as IP addresses, mobile device identifiers, geolocation information, biometric data (finger prints, retinal scans, hand geometry, etc.). Also included is an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.
Defined Individual Rights
The GDPR provides the following rights for individuals:
- The right to informed – companies must provide “fair processing information” to their data subjects, typically by a privacy notice.
- The right of access – the individual is allowed to be aware of and verify the lawfulness of how their data is being processed.
- The right to rectification – the individual is allowed the right to correct their personal information if it’s inaccurate or incomplete.
- The right to be forgotten – the individual has the right to request the deletion or removal of their personal data where there is no longer a compelling reason to continue to keep it.
- The right to restrict processing – the individual is allowed to suppress processing of their information.
- The right to data portability – the individual is allowed to obtain and reuse their personal data for their own purposes across different services.
- The right to object – the individual has a right to object to how their information is being processed.
- Rights in relation to automated decision-making and profiling – the individual has rights to object to automated decisions made without human intervention that could be potentially damaging.
Accountability and Governance
The accountability principle in article 5(2) requires that companies demonstrate that they comply with the principles of the GDPR and explicitly states that this is their responsibility. This means that you need to implement appropriate technical and operational measures that ensure and demonstrate compliance across your organization. This can include HR policies, staff training, internal audits, etc.
In future posts, we will go into more detail on various aspects of GDPR and explore how InterAction® customer relationship management software can help you in your compliance efforts, ensuring that data protection is done by design, not as an afterthought.
Be sure to contact your InterAction Account Manager for an exclusive invitation to our webinar series covering how InterAction tools can be used to execute GDPR compliance plans.