The GDPR, also known as the European Union Data Protection Regulation, is scheduled to be approved by the European Parliament in April, after which it will become law. As it is a “regulation” rather than a “directive”, it will be directly applicable to all EU member states without the need for local legislation. European countries will have 2 years to implement the GDPR, after which the regulation will be enforced.

There are three core aims of the GDPR:

1. to give individuals more control over their personal data
2. to standardise the rules for reporting data loss and attacks for European countries
3. to make transparency and accountability priorities for companies that deal with data.

Key points of the regulation include:

One way in which the GDPR hopes to give people more control over their data is by clearly defining what constitutes personal data. In the regulation, personal data is defined as any information that relates to a person who can be identified by an identifier, such as a name or address, or to factors specific to the person’s economic, physical, mental, genetic, physiological, cultural or social identity. Today, a person’s IP addresses and/or the use of cookies to identify individuals isn’t considered to be personal data, however under the new regulation they will be classed as online identifiers.

You may need a Data Protection Officer (DPO)

If your organisation regularly and systematically monitors people or processes special categories of personal data (religious beliefs, race etc.), you will be required to designate a DPO who has “expert knowledge of data protection laws and practices”. DPOs will need to be given access to the company’s data processing operations as well as a line of communication to the highest levels of management for reporting.

This coincides with the new regulation’s guidelines on reporting data breaches. Upon the unauthorised disclosure or destruction of data, data controllers must notify the relevant authorities within 72 hours of the breach being discovered, or provide a justifiable reason if reporting later. The regulation allows for organisations to hire DPOs from third-parties, meaning that we are likely to see a proliferation of consultants.

Consent is defined

Many marketers have been concerned about what type of consent would be required to use a person’s data under the new regulation, and they will be glad to hear that in most cases, you don’t need explicit consent. The regulation defines the consent needed to use personal data as:

any freely-given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.

Companies will be required to demonstrate how and when an individual’s consent was obtained, and a person must be able to withdraw their consent as easily as giving it.

The right to be forgotten

If an individual wants to have their details removed from your database and their data is no longer needed for the reasons it was collected, you will be required to erase it. The regulation also clarifies the obligation data controllers have to ensure that those responsible for erasing personal data are notified of requests to be forgotten.

There are new rights regarding profiling

The concept of profiling was featured in the Data Protection Directive, but the term was not explicitly used. In an effort to help individuals take control of their data, the GDPR defines profiling as “data processing that involves automated processing of personal data which is used to evaluate personal aspects of an individual, such as their health or economic situation”.

Once the GDPR is enforced, individuals will have the right to not to be subject to decisions that are solely based on automated processing, such as profiling, that produce legal effects concerning them. The GDPR uses the “automatic refusal of an online credit application or e-recruiting practices without any human intervention” as an example of this. In addition, individuals will have the right to object to profiling at any time unless the data controller can demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”

There will be tougher sanctions

Companies who do not comply with the new regulation will suffer severe penalties - regulators will be able to impose fines of up to €20m or 4% of the company’s global revenue (whichever is larger). To put this in perspective, the current maximum fine for UK companies is only £500,000, illustrating how much emphasis the EU are placing on privacy and data security in the modern world.

In addition to these key points, the GDPR also provides some security measures which it deems will provide “sufficient guarantees” of safety to the individuals in your database, including the pseudonymisation and encryption of personal data and the introduction of processes for regularly testing and assessing the integrity of your data security. The regulation also illustrates what information must be given to people at the point their data is collected. This includes:

• The purposes that the individual’s data is intended for.
• Whether or not the personal data will be transferred internationally.
• The contact details and identity of the DPO and data controller.
• The individual’s rights to withdraw consent at any time and to register complaints with the relevant authorities.

What does this mean for you?

Now that the GDPR has been published, if you haven’t started already, it is imperative that you audit your existing operation and, where necessary, begin building processes that are compliant with the regulation, or face serious repercussions. The good news is that once your data policy is up to scratch, with the standardisation of rules across Europe, the GDPR should make business within the EU simpler, and consumers will be less wary about sharing their personal data.