Are you prepared for GDPR?
You’ve likely encountered the term ‘GDPR’ floating around, but what exactly is it? Just another trendy business acronym, or is it something we should take seriously? Definitely the latter: GDPR stands for “General Data Protection Regulation” and will redefine data privacy standards in the European Union beginning in 2018.
Complex rules, but accessible principles
Ratified by the European Union in May 2016, the GDPR legislation modernises the legal framework that protects European citizens’ private information. As of May 25th, 2018, all businesses with activities in EU member nations and their territories must comply with these regulations. Failing to act on them could have serious consequences for a company’s bottom line, customer relationships and brand image. With that in mind, if your organisation deals with individuals’ data, it’s none too soon to begin implementing a governance process that paves a smooth path to future compliance.
GDPR is a complex set of rules, but they cover a handful of key principles that are easy to comprehend. Understanding and adhering to these principles will take your organisation most of the way toward compliance.
What is personal data?
First, it’s important to understand that GDPR is all about personal data. If you don’t work with personal information, you will not need to adhere to GDPR regulations. Personal data includes information that makes it possible to individually identify any person, entity or company. This doesn’t necessarily have to be something as concrete as a name or address; if a combination of characteristics points to an individual identity, this is also considered personal data.
How are you using it?
If the data you work with is personal and you use it on an individual level – i.e. not used in aggregated form – you can only do so if each individual has given consent. Consent is when the individual agrees that you may use his, hers or its data for the purposes and length of time that you have set forth. It’s important to be specific about what data will be used, for which purposes and for how long. It’s not enough to simply ask if you can use the data.
In the case that you’re working with personal data and the individuals have given their consent to its use in specific circumstances, it is legal for you to work with, analyse and generate reports based on it. An example of this (in action) is how retailers manage the data of loyalty card holders. In this case, retailers have a contract with their customers that details how, when and for what purposes they will use the data. After the customer has given their consent, the retailer will use the information to design and send marketing campaigns, promotions, etc.
If the individual hasn’t given or been asked for their consent, the data must be made anonymous or used only in aggregation. Anonymisation isn’t simply removing names or addresses – any combination of information that could potentially be used to identify individuals should be removed from the database. A tip: if you are only using aggregations of data, it’s best practice to make the data anonymous to mitigate risks.
Controllers vs. processors
There are two types of data-touching parties that are impacted by the GDPR. Controllers are companies that decide what will happen with the data (often the ‘client’) and use the insights gained from analysis of the data. Processors, on the other hand, are companies that process the data (by collecting, analysing or using it to generate reports, for example), but do not make use of the results or insights gathered.
The controller is ultimately responsible for how the data is used, although the processor also needs to comply with the regulations. The process agreement between controller and processor should clearly state these rules.
The big takeaways
To sum up, any organisation or person that collects, handles or processes individual data must comply with GDPR. All boobook clients fall into this category, as they commission our company to handle their data, and will use the insights boobook provides to make their own business decisions. A simple and straightforward way to simplify compliance with GDPR and reduce the risks of crossing regulatory lines? If there is no need for personal data, anonymise databases whenever possible.