The General Data Protection Regulation (GDPR) came into force across the European Union on May 25th 2018. It applies to all businesses and public sector bodies that access, use or store (process) the personal information (personal data) of an EU Citizen (data subject). It is designed to cope with the huge advances in technology and the significant increase in the use and methods of storing and processing personal data. Since GDPR’s introduction, any company collecting the data of EU citizens has had to comply with an array of new obligations, or face severe financial penalties. Exactly what obligations apply to which organisations, however, has been a topic of heated debate for the past few years, as companies desperately sought to implement the appropriate systems in time for the deadline. Achieving minimum satisfactory levels of compliance has been the goal for some firms, while others have worked hard to build comprehensive GDPR-compliant data protection systems from the ground up.
The GDPR ensures that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. It must also be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The ongoing application of this mantra, is one of the most significant problems facing many businesses, now that GDPR is ‘live’. Troubleshooting any potential breaches before they occur is of utmost importance, since failure to do so, could cost them up to 20 million euros, or 4 per cent of global annual turnover, in fines.
Marketing is a good example of this issue. Stronger legislation under GDPR, means that consent will be required, unless a company has a legitimate interest in processing data, such as personalising information for an existing client.
If consent is required, then there are various types, including opt-in (explicitly asking someone if you can market to them), soft opt-out (inferring they must contact you to stop any marketing) or double opt-in meaning you must go through multiple layers of permissions before marketing. Understanding which of these policies to use will depend on the sensitivity of the information being processed and the type of client (business or end consumer).
Once data has been collected, the GDPR gives extensive rights to citizens around access, restriction and rectification of that information. Importantly, individuals can also ask for that data to be erased – the right to be forgotten. Clearly then, it is imperative that businesses go about data processing in the right way if they want to keep a viable marketing database that is fully GDPR-compliant.
The legislation also calls for the creation of new roles within organisations to oversee GDPR-compliance, including data processors and controllers. Data controllers are deemed to be responsible for the data collection and therefore must ensure that any other entity ‘processing’ the data is also compliant. This extra level of responsibility has led to contractual issues around which organisations are legally deemed controllers over specific sets of data.
The role of the Data Protection Officer has also grown in prominence since the introduction of GDPR. DPOs are obligatory for certain companies, and act independently, ensuring a company remains compliant with GDPR through the course of their operations.
In the following discussion we speak to nine GDPR experts from a range of jurisdictions across the European Union and further afield. We explore these new obligations in more detail and tap into their experiences of GDPR so far, gaining valuable insight into the challenges their clients have faced ensuring ongoing compliance, now that GDPR is ‘live’.