The General Data Protection Regulation was adopted by the EU in 2016, but companies that control or process the personal data of European Union residents have until tomorrow (25th May, 2018) to ensure full implementation.
For organizations worldwide that collect, store and use customer data the GDPR has presented a number of challenges which they must overcome, not least because non compliance can now result in severe penalties of up to $26m or 4% of worldwide revenue, whichever is higher.
Over the next few months we will look in more detail at key areas of the regulation, including the lawful bases for processing data, the new rights that GDPR provides to individuals and the importance of data protection and security. We’ll also review a number of our solutions which contain features that our customers can utilize to meet some of the strict requirements of the GDPR.
So what’s new?
The European Union’s data protection laws have long been regarded as the gold standard all over the world1 and it has been said by some that the General Data Protection Regulation simply standardizes these laws across all member states. While it’s true that much of what is contained within the GDPR is not new, the regulations when taken as a whole, do mark a distinct move from the implicit nature of previous legislation and widely adopted ‘best practices’, towards a detailed set of explicit legal requirements for companies to adhere to. In addition to this the new regulation places much more emphasis on accountability and transparency when it comes to the organizations that are processing personal data.
Under the GDPR a broader definition of ‘personal data’ is also introduced. A person is now considered identifiable in relation to a much wider range of ‘identifiers’ than before, including location data, online identifiers and data that has been ‘pseudonymised’. This reflects changes over recent years in the channels that customers use to engage with the companies they do business with.
Article 5 of the GDPR requires that any and all personal data must be processed lawfully, fairly, and in a transparent manner, and companies that collect and use data must rely on one of six lawful bases for processing it. For ‘special category’ data, including any particularly sensitive personal information and the personal data of children, companies will also need to satisfy one of ten specific conditions in addition to applying a lawful basis.
In our next blog we look in more detail at the six lawful bases for processing personal data and explore how managing customer preferences for multichannel delivery can also help companies to implement a transparent system for capturing and reviewing consent.
This is part of a series of blog posts on GDPR. Read them all!
1 European Data Protection Supervisor