At Adana, we make it our business to keep abreast of legislation and keep you informed. From 25 May 2018 it becomes law to adhere to the European General Data Protection Regulation and we wish to confirm to our staff and clients that we are compliant with this regulation.
By making this statement it means that your personal data is processed and stored in a secure environment, and will not be shared with a third party without your prior consent. We have changed our employee and client contracts to reflect this.
GDPR - a brief overview
Anthropologists claim that human societies all share a trait that guides our social thinking: reciprocity or “give- to-get” for short. Basically, it’s trading something of value for something else of value.
The private information that belongs to me as an individual is obviously of such great value that it deserves government protection. If data about my behaviour and my needs is being collected and used without my permission, I might worry about potential abuse thereof.
But if an organisation tells me not only what data it’s collecting on me but why they want to collect it and how its use will positively benefit me as an individual, then I will be more inclined to agree to it, if I see the value.
The General Data Protection Regulation (GDPR) is the new EU law for the protection of natural persons regarding the processing of personal data and on the free movement of such data. No matter if you are a marketing, sales or support executive who deals with customer data, a Data Protection Officer, an executive with liability for compliance or just someone who wants to use customer data sensibly, you must have a plan in place or risk falling foul of the law.
Need to know information
One of the key questions people ask when it comes to GDPR is: “What is the difference between a controller and a processor?” The answer is as follows:
Controller - A controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If a person or organisation initiated the collection of personal data either directly or indirectly, they are the controller.
Examples of this are running a website, collecting customer data for a marketing campaign, interacting with customers in a structured way and providing downloads in exchange for registration.
Processor - A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. If a person or organisation provides a service or system for their clients that has customers’ personal data contained within it, they are the processor. Examples of this are a market research, marketing agency or a third-party service provider handling customer data on a company’s behalf.
Why new rules will revolutionise Customer Relationship Management
On May 25, 2016, the EU passed the world’s strongest and most far-reaching law aimed at strengthening citizens’ fundamental rights in the digital age. The regulation also tries to facilitate business best practice by unifying rules for companies operating within the EU Digital Single Market.
This new, 88-page General Data Protection Regulation (GDPR) is something that EU member states voted for unanimously: one law for the entire region. And it will be enforceable as of 25 May, 2018.
Before this new legislation, it was up to individual countries to decide how to implement existing EU laws and recommendations, which added to complexity for businesses operating in multiple countries.
The GDPR not only applies to any company, organisation or body established in the EU who process personal data but also to any company, organisation or body established outside the EU if they target individuals residing in the EU. The GDPR seeks to establish a modern and harmonised data protection framework across the EU. Some aspects make for quite alarming reading – particularly the parts about the sky-high fines that can be imposed on persons and organisations in breach of compliance.
Many aspects of the law require careful evaluation and action by organisations and their legal teams and there are many recommendations on how to move forward if you are a new organisation starting from scratch. But, most us will already have systems and processes in place that contain personal data – so the green field approach will not be suitable.
Concrete suggestions are required about how to get existing systems and processes compliant by 25 May 2018 as well as how to proceed thereafter. There are a few overriding themes in the GDPR that centre on the collection and usage as well as ability to report and act on personal data.
An A-Z of GDPR
Consent - Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies an agreement to the processing of personal data relating to him or her.
Controller - The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In general, if you initiated the collection of personal data either directly or indirectly, then your organisation is the ‘controller’ and liable under GDPR. Running a website, collecting customer data for a marketing campaign, interacting with your customers in a structured way, providing downloads in exchange for registration – all of these would be examples of your organisation collecting data and acting as a ‘controller’.
Personal data - Any information relating to an identified or identifiable natural person (‘data subject’): an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. If you are a ‘controller’ or ‘processor’ of personal data in an EU country, GDPR will apply to you for any data subject, regardless of their physical location. If you are a ‘controller’ or ‘processor’ anywhere in the world and you process personal data of a data subject that is a resident in the EU, then GDPR will apply to you. There is no distinction between Business to Consumer (B2C) and Business to Business (B2B) personal data in this respect.
Personal data breach - A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing - Any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. That will cover all IT systems that contain personal data, regardless of whether those systems are on your own site, in a cloud or provided by a processor.
Processor - A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. If you provide a service or system for your clients that has their customers’ personal data contained in it, then you are a processor and are subject to the law. Examples of this are a market research, marketing agency or a third-party service provider handling customer data on a company’s behalf. A controller will want to work closely with a processor (and may demand not only good GDPR compliance documentation but also liability responsibilities) to ensure they and the processor are compliant with GDPR. The personal data the processor has about their client contacts makes them the ‘controller’ of that data.
Profiling - Any form of automated processing of personal data consisting of the use of personal data relating to a natural person, in particular to analyse or predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. If you are using any sort of rules like machine learning, advanced analytics or AI in any of your IT systems and if those use personal data, then there is profiling being performed.
Recipient - A natural or legal person, public authority, agency or another body, to which the personal data is disclosed.
Regulation - A legal act of the European Union which, on enactment becomes enforceable as law in all member states simultaneously. This is from May 25th, 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable. So this is a law that could affect you. Whether your organisation is affected by this regulation depends on whether you process ‘personal data’.
Restriction of processing - The marking of stored personal data with the aim of limiting their processing in the future. This is a fundamental tenet of the new regulation where you should only collect and use personal data when it is absolutely needed.
Special categories of personal data - Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. There are exceptions in Article 9, but in general it is prohibited to process such data. Since it was not forbidden in the past, you may have inadvertently collected and be using such data.