GDPR Data Protection Update part 2 – using data
The new Data Protection update (GDPR) has been published (May 2016), but will take two years to come into effect. That gives all businesses that collect or use data to get prepared. And you will need to be ready as the penalties have been significantly increased.
With these changes, data protection and marketing opt-in has moved from departmental responsibility to a boardroom agenda item.
So down to business…
What does the EU Data Protection Update (GDPR) mean for You
The General Data Protection Regulations (GDPR) are a game changer. You need to know the details and you need to act on the details.
The changes affect the following areas.
- How you collect data
- How you use the data you collect
- Your bottom line – if you get this wrong, you will be fined and that could mean a lot of money.
It’s a complex subject, so we are going address this piece by piece, and in the spirit of the (GDPR) data protection regulations we are going to do our best to use simple English to it’s easy to understand.
This post focuses on data collection points 3 and 4.
How to use the data we collect.
Let’s start with a key definition…
What is personal data
This is a biggie, as it’s a major change and the key foundation of the regulations (GDPR).
Personal data is defined as “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly in particular by reference to an identifier… or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person ”.
So that’s pretty much any data that can be used to market to people. And it also bites digital in the proverbial backside.
Certain types of “online” data may be personal, such as online identifiers, location data, and identification number (device identifiers, cookie ID’s, IP addresses and Radio Frequency Identification tags…)
So if you can link the information knowingly back to an individual, that’s personal data.
What you need to do…
These changes will need to become common practice within your business. Here’s where you start…
- The review and update of your privacy policies, privacy notices and you probably going to need to update your business terms and conditions to reflect any changes,
- Review or establish the setup of new technical and administrative process, (e.g. data security breach notification requirements),
- The review your data security standards,
- The review your data processing contracts or other agreements with processors, partners, and clients,
- The review of the legal basis for international data transfers to countries – if outside the European Union.
The Data Protection Principles
Now that you understand what ‘personal data’ is. You need to know how to manage the personal data you hold. The GDPR defines principles for processing personal data, these are that personal data must be…
(1) Processed lawfully, fairly and in a transparent manner,
(2) Collected for specified explicit and legitimate purposes – and only those purposes.
(3) Adequate relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation),
(4) Kept up to date,
(5) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed,
(6) Processed in a way that ensures appropriate security of the personal data.
So how can I process personal data?
You need to process the personal data you collect in line with the consent you’ve received.
You need to give clarity around all the personal data you collect, if it’s directly linked to an individual, you need to make sure you have their consent – or you won’t be able to use it.
Keeping in line – Privacy by Design
Data protection and processing is not longer a consideration, it’s about to become a requirement. Reflecting the fact that data is an asset for your business. You are required to be accountable, and demonstrate your accountability.
So you need to make sure that:
- You build data protection into projects from the start, and that privacy settings are set to opt-out rather than opt-in. You need to prove that people have decided to explicitly opt-in.
- You keep your data protection policies and procedures up to date with your operations.
Reasons to pay attention.
If you don’t comply, then the fines are likely to be significant. Up to 20 million EURO or 4% of global turnover.
As I said earlier in the article, GDRP now makes data control a boardroom concern.