EU General Data Protection Regulation (GDPR)

July 2018

GDPR - what it means and what to do

Data protection is becoming a vital component in doing day to day business. The GDPR initiative was not the first privacy initiative in the marketplace, but to date, it has been the most significant driving force in the understanding and managing of individuals data and their data rights.

To move the needle and get attention the EU states now allows the member states to apply fines. These fines include a maximum penalty of up to 4% of annual global turnover for breaching GDPR or €20 Million. The directive also expressed the desire for ease and a ‘one-stop-shop” to administer, much of how this will happen is to date still “up in the air” as to how to administer of this program.

EU GDPR - a Zonos™ heads de-code

The EU GDPR is a comprehensive privacy regulation with the effective date of May 25, 2018. Zonos is aware of this directive and has put in place updates within our software solutions that not only manages the GDPR initiatives but will also go beyond the EU borders to ensure a privacy focus for everyone in the Zonos family.

Zonos delivers releasing industry-leading privacy technology ensuring that the shoppers and merchants have control of their data and processes, meeting the framework of the EU GDPR.

Zonos goals for your business continue to be:

Key items of the directive

When did it go into effect?

May 25, 2018

Who does this effect?

The GDPR applies to organizations, controllers, and processors, located within the EU and outside of the EU who offer goods or services to EU data subjects. GDPR also applies to organizations, such as marketing organizations or those who supply or use data that monitor the behavior of EU subjects.

What is the difference between a controller and a processor?

A controller determines the purposes, conditions, and means of the processing of personal data, while the processor processes personal data on behalf of the controller.


Fines can amount to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most severe infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Personal data definition

Personal data is any information that can be used to directly or indirectly identify the person, such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. It must be unambiguous, readily identifiable and use clear and easily understandable language. It also must be as easy to withdraw consent as it is to give it.​ When processing sensitive personal data, nothing short of “opt-in” will suffice.

If the data subject is under 16, parental consent will be required to process the child’s personal data. Member states can lower the parental consent age, but not any lower than 13.

Data Protection Officer (DPOs)

DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale or big data systematic monitoring, or (c) organizations that participate in the mass processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

The Data subjects rights

Breach notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Notification must happen within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

Right to access

The data subjects have rights to obtain from the data controller confirmation as to whether or not personal data concerning them was processed, where and for what purpose. The data controller shall provide a copy of the personal data, free of charge, in an electronic format.

Right to be forgotten

Known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The data must no longer be relevant to the original purposes for processing, or a data subjects withdrawing consent. It should also be recognized that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

Data portability

The data subject may receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.

Privacy by design

Data privacy must be at the core of the technology systems the controllers and processors use to manage the data subjects information, not just an add-on.

Data subject information

The information that must be made available to a Data Subject when data is collected has been sharply defined and includes;

  • the identity and the contact details of the controller and DPO
    • the purposes of the processing for which the personal data are intended
    • the legal basis of the processing
    • where applicable, the legitimate interests pursued by the controller or by a third party
    • where applicable, the recipients or categories of recipients of the personal data
    • the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period
    • the existence of the right to access, rectify or erase the personal data
    • the right to data portability
    • the right to withdraw consent at any time
    • the right to lodge a complaint to a supervisory authority

Importantly, where the data has not been obtained directly from the data subject – perhaps using a 3rd party list – the list varies and includes:

  • From which source the personal data originate
    • The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
    • GDPR represents a significant problem for marketers getting data from 3rd party lists

Legitimate interest

Article 6 of the GDPR regulation states that a data collector may only process data lawfully if, among other things, it has legitimate interest or consent. Determining if you have a legitimate interest requires “careful assessment” of the expectations and context of the data you are collecting.

It is tempting to use a broad interpretation of legitimate interest to overcome the need for consent. We discourage using an open-ended view of legitimate interest as a way to justify collecting data. GDPR provides some examples such as processing personal data to prevent fraud, internal administrative purposes relating to employees and clients, network security, and the reporting of possible criminal activity or threats to public security.

There is still a gray area around legitimate interest, and the definition will become more evident over time. The short-term recommendation is to get in the habit of asking, “can the same objective be achieved without processing personal data?” If the answer is yes, then the best practice is to move away from legitimate interest as the basis for processing data; you should obtain consent.

Zonos recommends

  • Put in place a proactive plan for your GDPR compliance
    • Review privacy notices and policies and make sure they meet GDPR compliance levels
    • Prepare a plan in case of a security breach
  • Audit your consents
    • Make marketing consents opt-in
    • Use of data for processing and managing the order. Review the legitimate interest portion of the directive with your legal counsel to assure it covers your organization for the use of the purchaser’s data to process and manage that order.
    • Make your consent language clearly found and easily read about the use of the personal data
    • Create an action plan for data subject requests to your organization for the use of their data
  • Become accountable for your compliance
    • Train your employees
    • Have clear processes in place, written and audited
      • Appoint a DPO where required
    • Make sure your controller/processing partners are compliant