EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR), what it means and what to do

Data protection in a data-driven world has generated great discussions and significant concerns about privacy and rights. The EU has enacted a directive outlining the principles of data privacy with a goal of protecting the consumer’s information The GDPR replaces EU Protection Directive 95/46/EC and will apply to all member states.

Of primary importance is the ability for the member states to apply fines, with the maximum penalty up to 4% of annual global turnover for breaching GDPR or €20 Million. While the effort of the Directive is to put in place a “One-Stop-Shop” for ease of use and consistency, it is unclear how it will be administered and what the power of Data Protection Authorities (DPA) will be.

EU GDPR - an Zonos™ heads up

The EU GDPR is a comprehensive privacy regulation with an upcoming effective date of May 25, 2018. Zonos is aware of this directive and has been putting in place updates within our software solutions that not only manages the GDPR initiatives but will also go beyond the EU borders to ensure that privacy is protected for everyone in the Zonos family.

In the 1st quarter of 2018, Zonos will be releasing industry-leading privacy technology ensuring that the shoppers and the merchants have control of their data and processes, meeting the needs and the timeframe of the EU GDPR.

Our goals for your business continue to be:

We will release further documentation as these tools become available. Please refer to the Zonos recommends at the bottom of this document for steps you can take now.

Key items of the directive


May 25, 2018

Who does this effect?

The GDPR applies to organizations, controllers and processors, located within the EU and outside of the EU who offer goods or services to EU data subjects. This also applies to organizations, such as marketing organizations or those who supply data that monitor the behavior of EU subjects.

What is the difference between a controller and a processor? A controller determines the purposes, conditions, and means of the processing of personal data, while the processor processes personal data on behalf of the controller.


Fines can amount to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most severe infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Personal data definition

Personal data is any information that can be used to directly or indirectly identify the person, such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. It must be unambiguous, readily identifiable and use clear and plain language. It also must be as easy to withdraw consent as it is to give it.​ When processing sensitive personal data, nothing short of “opt-in” will suffice.

If the data subject is under 16, parental consent will be required to process the child’s personal data. Member states can lower the parental consent age, but not any lower than 13.

Data Protection Officer (DPOs)

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

The Data Subjects rights

Breach notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

Right to access

The data subjects have rights to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The data controller shall provide a copy of the personal data, free of charge, in an electronic format.

Right to be forgotten

Known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The data must no longer be relevant to the original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

Data portability

The data subject may receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.

Privacy by design

Data privacy must be at the core of the technology systems the controllers and processors use to manage the data subjects information, not just an add-on.

Data Subject information

The information that must be made available to a Data Subject when data is collected has been strongly defined and includes;

  • the identity and the contact details of the controller and DPO
    • the purposes of the processing for which the personal data are intended
    • the legal basis of the processing
    • where applicable the legitimate interests pursued by the controller or by a third party
    • where applicable, the recipients or categories of recipients of the personal data
    • the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period
    • the existence of the right to access, rectify or erase the personal data
    • the right to data portability
    • the right to withdraw consent at any time
    • the right to lodge a complaint to a supervisory authority

Importantly, where the data has not been obtained directly from the data subject – perhaps using a 3rd party list – the list varies and includes:

  • From which source the personal data originate
    • The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
    • This may be a problem for marketers getting data from 3rd party lists

Zonos Recommends

  • Put in place a proactive plan for your GDPR compliance
    • Review privacy notices and policies and make sure they meet GDPR compliance levels
    • Prepare a plan in case of a security breach
  • Audit your consents
    • Make consents opt-in
    • Make your consent language clearly found and easily read about the use of the personal data
    • Create an action plan for data subject requests to your organization for the use of their data
  • Become accountable for your compliance
    • Train your employees
    • Have clear processes in place, written and audited
      • Appoint a DPO where required
    • Make sure your controller/processing partners are compliant

References worth noting

Prepare for the EU GDPR by Rafi Azim-Kah

A Marketer’s Guide to GDPR by Allison Schiff