DMA Europa Group

GDPR Part 1 – Who? What? When? Where? Why? And How?

 

Law. It impacts every part of our lives. This includes a business’ life. However, law is not famed for being interesting or easy to understand and rules and regulations can be quite dry. In fact, this new regulation is 88 pages of dry. Considering that marketing, in particular direct marketing and email campaigns, relies so heavily on the use of personal data, DMA Europa Group is helping its clients to understand how to prepare for the new regulation.

What?

The General Data Protection Regulation (GDPR) is a new piece of EU regulation and is the most important change in data privacy law in the past 20 years. With data being such a hot topic and businesses of all size being so reliant on it, it is arguably the most important piece of legislation for businesses in the past 20 years.

While aiming to harmonise various complex data privacy laws that differ between EU nations, it raises the bar on the standard of data collection and processing which introduces complexities of its own.

This new piece of EU legislation affects any activity to do with personal data, from collection to its use, from a name to spending habits.

When?

The GDPR was approved by the EU parliament on the 14th of April 2016 and is due to be published in the EU Official Journal on the 5th of May 2018. It takes effect 20 days after this; that’s the 25th of May 2018 so it’s important to start preparing.

However, to add to the complexity of the matter, the ICO is yet to publish a final set of guidelines on how to comply with the new regulations.

Who?

The new regulation applies equally to data controllers and data processors. A data controller is a company that collects data and is the one that has the right to use. The most obvious example of a data controller would be a business who collects their own data through sales activities. In the case of one company buying data from another, both the seller and buyer are data controllers – the data buyer must make sure that both they and the buyer have complied to the regulations.

A data processor is anyone who processes the data on behalf of a data controller. This includes cloud storage services, data back up services, CRM and email systems, and agencies that use data on their client’s behalf. Importantly, while data processors are liable for not complying to the GDPR, the data controllers are liable if their data processors do not comply either.

Where?

Everywhere. The new regulation clears up some discrepancies that existed in the previous law. Now, it applies everywhere. That’s every EU county and every non-EU country. Every company in the world must comply to the regulations if they hold personal data on an EU citizen, or want to sell or provide services to an EU citizen.

What about Brexit? At least for the time being, Brexit is irrelevant. The GDPR will come into force before the UK leaves the EU, so UK companies must still comply. After Brexit, any company holding data about EU citizens will still have to comply. Additionally, there are plans to implement the same law into UK legislation, so it can’t be avoided by companies that operate solely in the UK either.

Why?

So why should you care? Well, almost every job and every business will process personal data in some form, even if it’s just a few email addresses. That means that the GDPR affects you and your company. Perhaps the biggest reason you should care is that it may be unlawful to use some of your existing data and breaching the GDPR now faces significantly increased fines. In fact a business could be fined up to €20 million (approx. £17.5 million) or 4% of the company’s global revenue – whichever is that larger figure!

These fines are drastically larger than before. Just as a comparison, in 2016 Talk Talk faced record fines of £400,000 for breaching privacy law. If they were to commit the same breach after the 25th May 2018, that fine could be £59,000,000.

How?

The all important question: How? How do you prepare? There’s no easy answer to this, it entirely depends on what data you collect and have and what you use it for.

Start by assessing what data you have, what data you’re collecting and how you collect it, and what you are using your data for. Once you have that you can start comparing it to the requirements of the GDPR. The two main parts for a business to consider is whether you have a legal basis for using the data you have and whether you have processes in place to support the rights that EU citizens will have over their data.

GDPR Part 2 – Can I keep my data, how can I use my data, and how do I collect data now?

GDPR Part 3 – Citizens and their data: What do I have to do for my data subjects?

Nothing on this site constitutes legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information on this site is correct, no warranty, expressed or implied, is given as to its accuracy and we do not accept any liability for error or omission.

For more information you can read the regulation here or visit the website of the Information Commissioner’s Office. Specialist legal advice should be taken in relation to specific circumstances.

Published April 3, 2018