EU General Data Protection Regulation (GDPR)
Decoding the EU GDPR
Data protection is becoming vital in day-to-day business. Although the GDPR initiative is not the first privacy initiative in the marketplace, to date - it has been the most significant driving force in the understanding and managing of individuals’ data and their data rights.
To move the needle and get attention, the EU allows its member states to apply fines, which include a maximum penalty of up to 4% of annual global turnover for breaching GDPR or €20 million. The directive also expresses the desire for ease and a “one-stop-shop” to administer.
What is Zonos doing?
The EU GDPR is a comprehensive privacy regulation implemented on May 25, 2018. We have put updates in place within our Zonos software solutions that not only manages the GDPR initiatives but will also go beyond the EU borders to ensure a privacy focus for everyone using Zonos.
Zonos delivers industry-leading privacy technology to ensure shoppers and merchants have control of their data and processes - meeting the framework of the EU GDPR.
Zonos goals for your business continue to be:
- Help you decode cross border
- Give you control over the global supply chain
- Present a secure and fantastic experience for your international buyers
Key items of the directive
When did it go into effect?
May 25, 2018
Who does this effect?
The GDPR applies to organizations, controllers, and processors located within and outside the EU, who offer goods or services to EU data subjects. GDPR also applies to organizations, such as marketing organizations or those who supply or use data that monitor the behavior of EU subjects.
What is the difference between a controller and a processor?
A controller determines the purposes, conditions, and means for the processing of personal data, while the processor processes the personal data on behalf of the controller.
Fines can amount to 4% of annual global turnover for breaching GDPR or €20 million. This is the maximum fine that can be imposed for the most severe infringements, e.g. not having sufficient customer consent to process data or violating the core of “Privacy by Design” concepts.
Personal data definition
Personal data is any information that can be used to directly or indirectly identify the person, such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Consent must be given in an intelligible and easily accessible form with the data processing purpose attached to that consent. It must be unambiguous, readily identifiable, and use clear and easily understandable language. It also must be as easy to withdraw consent as it is to give it. When processing sensitive personal data, nothing short of “opt-in” will suffice.
If the data subject is under 16, parental consent will be required to process the child’s personal data. Member states can lower the parental consent age, but not any lower than 13.
Data Protection Officer (DPOs)
DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale or big data systematic monitoring, or (c) organizations that participate in the mass processing of sensitive personal data (Art. 37). If your organization does not fall into one of these categories, then you do not need to appoint a DPO.
Rights of data subjects
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Notification must happen within 72 hours of becoming aware of the breach. Data processors will also be required to notify the controllers “without undue delay” after first becoming aware of a data breach.
Right to access
The data subjects have rights to obtain confirmation from the data controller as to whether or not personal data concerning them was processed, where, and for what purpose. The data controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be forgotten
Known as data erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The data must no longer be relevant to the original purposes for processing or a data subject withdraws consent. It should also be noted that this right requires controllers to compare the subject’s rights to “the public interest in the availability of the data” when considering such requests.
The data subject may receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and have the right to transmit that data to another controller.
Privacy by design
Data privacy must be at the core of technology systems that the controllers and processors use to manage the data subjects’ information, not just an add-on.
Data subject information
The information that must be made available to a data subject when data is collected has been acutely defined and includes:
- the identity and the contact details of the controller and DPO
- the purposes of the processing, for which the personal data are intended
- the legal basis of the processing
- where applicable, the legitimate interests pursued by the controller or by a third party
- where applicable, the recipients or categories of recipients of the personal data
- the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period
- the existence of the right to access, rectify, or erase the personal data
- the right to data portability
- the right to withdraw consent at any time
- the right to lodge a complaint to a supervisory authority
Importantly, where the data has not been obtained directly from the data subject (perhaps using a third-party list), the list varies and includes from which source the personal data originates:
- The existence of any profiling and meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the data subject.
- GDPR represents a significant problem for marketers getting data from third-party lists.
Article 6 of the GDPR regulation states that a data collector may only process data lawfully if, among other things, it has legitimate interest or consent. Determining if you have a legitimate interest requires “careful assessment” of the expectations and context of the data you are collecting.
It is tempting to use a broad interpretation of legitimate interest to overcome the need for consent. We discourage using an open-ended view of legitimate interest as a way to justify collecting data. GDPR provides some examples such as processing personal data to prevent fraud, internal administrative purposes relating to employees and clients, network security, and the reporting of possible criminal activity or threats to public security.
There is still a gray area around legitimate interest, and the definition will become more evident over time. The short-term recommendation is to get in the habit of asking, “can the same objective be achieved without processing personal data?” If the answer is yes, then the best practice is to move away from legitimate interest as the basis for processing data; you should obtain consent.
- Put a proactive plan in place for your GDPR compliance.
- Review privacy notices and policies, and make sure they meet GDPR compliance levels.
- Prepare a plan in case of a security breach.
- Audit your consents.
- Make marketing consents opt-in.
- Review the legitimate interest portion of the directive with your legal counsel to ensure it covers your organization for the use of the purchaser’s data to process and manage that order.
- Make your consent language easy to find and read about the use of personal data.
- Create an action plan for data subject requests to your organization for the use of their data.
- Become accountable for your compliance.
- Train your employees.
- Have clear processes in place, written and audited.
- Appoint a DPO where required.
- Make sure your controller/processing partners are compliant.