Oh no! For real? The GDPR – and what I definitely need to know about it!
Oh no! For real? The GDPR – and what I definitely need to know about it!
25 May 2018. Go ahead and put a big fat circle around that date on your calendar. In red. Or put a reminder deep into the heart of your digital device. Because that date will mark the beginning of the new era – for how to handle your customers’ data. Don’t just dismiss this issue! Doing so could get pretty expensive. Here’s what you need to know right now.
EU GDPR – European General Data Protection Regulation? What in the world is that all about again? Please don’t let it be anything negative, I’ve got enough going on! That’s the kind of sigh many of you might let out in response to this news. But it won’t do you any good. Ignorance of the law is no excuse, much less if the ignorance is deliberate. Instead, react quickly now if you don’t want to be caught flat-footed in May.
Because the majority of companies in Europe don’t yet have any or only the faintest idea of the mandatory data protection measures that will have to be implemented soon in all 28 EU countries – transparently and verifiably.
What we can’t accomplish here: give you a detailed guide. The issue is too complex for that. But we will give you some links to further information at the end of the article.
Raising awareness of the data-readiness steps you’ll have to take
What we do want to accomplish: we want to make you aware of the data-readiness steps you’ll have to take, answer basic questions and give you an idea of whether you can handle the issue together with your team and your data protection officer, or whether you’ll have to rely on external specialists.
Please note: you need to be ready on 25 May 2018 and not just start looking into GDPR! If it hasn’t been one before, the right to data protection is definitely a top priority now! Not least, data protection also represents a key component of corporate governance and compliance, making it a significant building block of corporate sustainability.
But be aware! The workload of and demand for data protection experts will increase. The result: experts are already in short supply in the labour market. In any case, you should not try to bring your data management procedures up to GDPR-compatible levels without expert advice and control.
The GDPR “timetable”
Before diving into some key questions surrounding the GDPR, take a look at your GDPR “timetable” with 10 stations:
- Awareness of GDPR must be raised among all employees.
- Your own data protection statement must be brought in line with the GDPR.
- The status of your database(s) and documentation of processed data must be adjusted to become compatible with the GDPR.
- The consent collected via double opt-in from each person stored in the database must be transparently documented and made available upon request anytime.
- The so-called 5 Rights of all stored individuals must be ensured.
- The use of data protection technology and appropriate settings must be guaranteed.
- In addition, it must be ensured that data protection infringements are quickly detected and, if necessary, communicated.
- An internal data protection officer must be appointed or an external one retained.
- All contracts with service providers such as agencies and, in particular, cloud services providers must be checked with regard to GDPR compatibility.
- Another component of the GDPR is preparation for the ePrivacy Directive. Which will come. The only thing we don’t know yet is when.
What is the GDPR?
The General Data Protection Regulation (GDPR), which has been in effect since 24 May 2016 already, will become established law for all EU member states on 25 May 2018. That means a uniform data protection standard will apply in all EU countries, providing a related measure of legal certainty.
Until that day, differing national data protection laws will remain in effect in the various EU countries. In Germany, that would be the so-called BDSG (Bundesdatenschutzgesetz – Federal Data Protection Act). Companies that thus far have systematically used the BDSG as a guide won’t be steamrolled by the GDPR. However, some of the principles of the BDSG will be overridden and the BDSG revised accordingly.
Basically, the protection of personal data will be strengthened, with violations more rigorously enforced. This forces all companies to conduct a thorough examination of their existing data protection measures; in the most extreme cases, companies will need to overhaul their entire set of existing data protection practices.
What are the goals of the GDPR?
The GDPR is aimed at returning to EU citizens the right to informational self-determination and thus sovereignty over their own data. The goal is to protect their basic rights and fundamental freedoms, which include the right to the protection of personal data whenever their personal information is collected, stored or processed.
What 5 Rights must be granted to each person?
Specifically, there are 5 Rights that must be ensured for each citizen at all times: the right to information, the right to access, the right to correction, the right to erasure and the right to data portability.
Which companies are affected by the GDPR?
Every company in the EU, without exception. Additionally, the GDPR’s applicability extends to all companies outside the EU if they process data from EU citizens (Amazon, Apple, Facebook, Google, Microsoft etc.).
Is there a distinction between B2C and B2B?
Which business units are affected?
In the digital age, data is generated in every area. As a result, potential “data traps” are lurking everywhere; they must be carefully identified and aligned with the GDPR and/or avoided.
Starting with a company’s own human resources department, the path then leads to sales and marketing and on to online shops, company websites and corporate representations in the social networks etc. Data accumulates wherever customer communication and interaction occur.
But contests and lead generation, for example through the downloading of free information (information in return for a personal e-mail address), will be put to the test, as well.
Very important: all data management measures must be in line with what’s a uniform, GDPR-compliant standard.
It’s not sufficient, by the way, to implement GDPR data protection principles as part of the company’s own data protection measures. All contracts with service providers, including agencies and, in particular, cloud computing providers, must also undergo stringent reviews.
Does this apply to my existing customers, too?
What about my existing database for newsletters and promotional e-mails?
Newsletters and promotional e-mails are important informational tools, especially in the promotional products industry. Again, however, no provision has been made for grandfathering in established customer databases.
Their content, meaning the personal information stored and the processing thereof, must comply with the GDPR. Companies that have already structured their databases in accordance with the BDSG will be on the safe side.
That means proof of the legitimate use of the data (customer consent form legitimising you to send e-mails to the customer) must be documented and available at all times.
If no documented consent is available, a new and clear consent declaration must be obtained using double opt-in (read “What is double opt-in?” below to find out more about double opt-in). Otherwise, the record must be deleted.
Very important: in general, the principle of data minimisation applies. Only absolutely necessary information should be stored for each person – not more!
Also new: accountability
The GDPR also demands accountability, requiring data protection officers to demonstrate to the supervisory authority the implementation of and compliance with all data protection principles.
What sanctions can be imposed for data protection infringements?
Fines have been raised dramatically when compared to the fines previously imposed on the national level. Up to €20 million, in the worst case. Large companies and corporations risk up to four per cent of the annual worldwide turnover of the preceding year.
What is the ePrivacy Directive?
The ePrivacy Directive ties into the GDPR by regulating specified areas. This affects the so-called over-the-top communication services (OTT services): content, services and applications made available by providers to users via the Internet. Data is generated from this usage.
This includes websites, online shops, messenger services, VoIP telephony, plus communication among machines (M2M communication) and among objects (Internet of Things, IoT).
The data cops in Brussels have their sights set in particular on cookies and tracking technologies, which are used to feed highly targeted ads to users on the Internet.
The GDPR partly overrides the German Telemedia Act (TMG), an important law for German website operators. Further critical changes can be expected in the context of the ePrivacy Directive.
Understandably, trade associations are up in arms about the planned regulations. Their argument: sales declines of 30 per cent or more are possible if the commission’s plans are implemented.
The ePrivacy Directive originally was scheduled to enter into force together with the GDPR, on 25 May 2018. But this deadline can no longer be met. According to current estimates, the ongoing discussions in the European Council might run into mid-May of 2018.
What is double opt-in?
The so-called double opt-in process is a two-step, explicit confirmation by a subscriber signing up for or newsletter subscriptions or any other services that require an e-mail address.
Under the GDPR, using the double opt-in process provides legal certainty when building and maintaining a customer database.
Privacy-Regulation.eu (all EU languages)
Datenschutz-Grundverordnung.eu (English & German)