EU General Data Protection Regulation (GDPR)

Decoding the EU GDPR

Data protection is becoming vital in day-to-day business. Although the GDPR initiative is not the first privacy initiative in the marketplace, to date - it has been the most significant driving force in the understanding and managing of individuals’ data and their data rights.

To move the needle and get attention, the EU allows its member states to apply fines, which include a maximum penalty of up to 4% of annual global turnover for breaching GDPR or €20 Million. The directive also expresses the desire for ease and a “one-stop-shop” to administer.

What is Zonos doing?

The EU GDPR is a comprehensive privacy regulation implemented on May 25, 2018. Zonos™ has put updates in place within our software solutions that not only manages the GDPR initiatives but will also go beyond the EU borders to ensure a privacy focus for everyone in the Zonos family.

Zonos delivers industry-leading privacy technology to ensure shoppers and merchants have control of their data and processes - meeting the framework of the EU GDPR.

Zonos goals for your business continue to be:

Key items of the directive

When did it go into effect?

May 25, 2018

Who does this effect?

The GDPR applies to organizations, controllers, and processors, located within and outside the EU, who offer goods or services to EU data subjects. GDPR also applies to organizations, such as marketing organizations or those who supply or use data that monitor the behavior of EU subjects.

What is the difference between a controller and a processor?

A controller determines the purposes, conditions, and means of the processing of personal data, while the processor processes the personal data on behalf of the controller.

Penalties

Fines can amount to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most severe infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Personal data definition

Personal data is any information that can be used to directly or indirectly identify the person, such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. It must be unambiguous, readily identifiable, and use clear and easily understandable language. It also must be as easy to withdraw consent as it is to give it.​ When processing sensitive personal data, nothing short of “opt-in” will suffice.

If the data subject is under 16, parental consent will be required to process the child’s personal data. Member states can lower the parental consent age, but not any lower than 13.

Data Protection Officer (DPOs)

DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale or big data systematic monitoring, or (c) organizations that participate in the mass processing of sensitive personal data (Art. 37). If your organization does not fall into one of these categories, then you do not need to appoint a DPO.

Rights of Data Subjects

Breach notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Notification must happen within 72 hours of becoming aware of the breach. Data processors will also be required to notify the controllers “without undue delay” after first becoming aware of a data breach.

Right to access

The data subjects have rights to obtain confirmation from the data controller as to whether or not personal data concerning them was processed, where, and for what purpose. The data controller shall provide a copy of the personal data, free of charge, in an electronic format.

Right to be forgotten

Known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The data must no longer be relevant to the original purposes for processing, or a data subject withdraws consent. It should also be noted that this right requires controllers to compare the subject’s rights to “the public interest in the availability of the data” when considering such requests.

Data portability

The data subject may receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format,” and have the right to transmit that data to another controller.

Privacy by design

Data privacy must be at the core of the technology systems that the controllers and processors use to manage the data subjects’ information, not just an add-on.

Data subject information

The information that must be made available to a data subject when data is collected has been acutely defined and includes:

Importantly, where the data has not been obtained directly from the data subject (perhaps using a third-party list) – the list varies and includes from which source the personal data originates:

Legitimate interest

Article 6 of the GDPR regulation states that a data collector may only process data lawfully if, among other things, it has legitimate interest or consent. Determining if you have a legitimate interest requires “careful assessment” of the expectations and context of the data you are collecting.

It is tempting to use a broad interpretation of legitimate interest to overcome the need for consent. We discourage using an open-ended view of legitimate interest as a way to justify collecting data. GDPR provides some examples such as processing personal data to prevent fraud, internal administrative purposes relating to employees and clients, network security, and the reporting of possible criminal activity or threats to public security.

There is still a gray area around legitimate interest, and the definition will become more evident over time. The short-term recommendation is to get in the habit of asking, “can the same objective be achieved without processing personal data?” If the answer is yes, then the best practice is to move away from legitimate interest as the basis for processing data; you should obtain consent.

Zonos recommends:

  • Put a proactive plan in place for your GDPR compliance.
    • Review privacy notices and policies, and make sure they meet GDPR compliance levels.
    • Prepare a plan in case of a security breach.
  • Audit your consents.
    • Make marketing consents opt-in.
    • Review the legitimate interest portion of the directive with your legal counsel to ensure it covers your organization for the use of the purchaser’s data to process and manage that order.
    • Make your consent language easy to find and read about the use of personal data.
    • Create an action plan for data subject requests to your organization for the use of their data.
  • Become accountable for your compliance.
    • Train your employees.
    • Have clear processes in place, written and audited.
    • Appoint a DPO where required.
    • Make sure your controller/processing partners are compliant.

Resources