Data protection is becoming vital in day-to-day business. Although the GDPR initiative is not the first privacy initiative in the marketplace, to date - it has been the most significant driving force in the understanding and managing of individuals’ data and their data rights.
To move the needle and get attention, the EU allows its member states to apply fines, which include a maximum penalty of up to 4% of annual global turnover for breaching GDPR or €20 million. The directive also expresses the desire for ease and a “one-stop-shop” to administer.
The EU GDPR is a comprehensive privacy regulation that was implemented on May 25, 2018. We have placed updates within our technology that not only manages the GDPR initiatives but will also go beyond the EU borders to ensure a privacy focus for everyone using Zonos.
Zonos delivers industry-leading privacy technology to ensure shoppers and merchants have control of their data and processes - meeting the framework of the EU GDPR.
Zonos goals for your business continue to be:
Fines can amount to 4% of annual global turnover for breaching GDPR or €20 million. This is the maximum fine that can be imposed for the most severe infringements, e.g. not having sufficient customer consent to process data or violating the core of “Privacy by Design” concepts.
Personal data is any information that can be used to directly or indirectly identify the person, such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Consent must be given in an intelligible and easily accessible form with the data processing purpose attached to that consent. It must be unambiguous, readily identifiable, and use clear and easily understandable language. It also must be as easy to withdraw consent as it is to give it. When processing sensitive personal data, nothing short of “opt-in” will suffice.
If the data subject is under 16, parental consent will be required to process the child’s personal data. Member states can lower the parental consent age, but not any lower than the age of 13.
DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale or big data systematic monitoring, or (c) organizations that participate in the mass processing of sensitive personal data (Art. 37). If your organization does not fall into one of these categories, then you do not need to appoint a DPO.
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Notification must happen within 72 hours of becoming aware of the breach. Data processors will also be required to notify the controllers “without undue delay” after first becoming aware of a data breach.
The data subjects have rights to obtain confirmation from the data controller as to whether or not personal data concerning them was processed, where, and for what purpose. The data controller shall provide a copy of the personal data, free of charge, in an electronic format.
Known as data erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The data must no longer be relevant to the original purposes for processing or a data subject withdraws consent. It should also be noted that this right requires controllers to compare the subject’s rights to “the public interest in the availability of the data” when considering such requests.
The data subject may receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and have the right to transmit that data to another controller.
Data privacy must be at the core of technology systems that the controllers and processors use to manage the data subjects’ information, not just an add-on.
The information that must be made available to a data subject when data is collected has been acutely defined and includes:
Importantly, where the data has not been obtained directly from the data subject (perhaps using a third-party list), the list varies and includes from which source the personal data originates:
Article 6 of the GDPR regulation states that a data collector may only process data lawfully if, among other things, it has legitimate interest or consent. Determining if you have a legitimate interest requires “careful assessment” of the expectations and context of the data you are collecting.
It is tempting to use a broad interpretation of legitimate interest to overcome the need for consent. We discourage using an open-ended view of legitimate interest as a way to justify collecting data. GDPR provides some examples such as processing personal data to prevent fraud, internal administrative purposes relating to employees and clients, network security, and the reporting of possible criminal activity or threats to public security.
There is still a gray area around legitimate interest, and the definition will become more evident over time. The short-term recommendation is to get in the habit of asking, “can the same objective be achieved without processing personal data?” If the answer is yes, then the best practice is to move away from legitimate interest as the basis for processing data; you should obtain consent.
Who does this affect?
The GDPR applies to organizations, controllers, and processors located within and outside the EU, who offer goods or services to EU data subjects. GDPR also applies to organizations, such as marketing organizations or those who supply or use data that monitor the behavior of EU subjects.
What is the difference between a controller and a processor?
A controller determines the purposes, conditions, and means for the processing of personal data, while the processor processes the personal data on behalf of the controller.