GDPR entered into force with a big bag and changed the European perspective on data protection. Although we have been hearing about the new regulation for the past couple of years, there is still plenty of room for doubt on when, what, and how to take action. The application of GDPR compliant procedures is a big challenge — we know it as a company and that is why we have decided to share with you our know-how and experiences, and address some issues concerning GDPR.
This article aims to clarify some general key points, as well as try to dispel the uncertainty around this topic.
So, let’s start this journey with some FAQ concerning GDPR.
What is GDPR?
GDPR stands for General Data Protection Regulation and constitutes the current highest EU law related to data security. As a regulation, there was no need to implement it into national law because on the 25th of May, it became legally binding and was entered equally into all EU and ECC states.
1. When should I care about the GDPR?
If you wonder how GDPR is related to your business, it is necessary to evaluate your situation from a closer perspective. First of all, let’s start with the basics: location.
If your company is registered in any EU Member state, you’re definitely bound to obey GDPR. However, it also applies to you if your legal office is not located in the EU, as you still process data of European citizens. Note that the GDPR was made to protect the rights of EU citizens when their data is being processed.
2. Why should I care?
The GDPR penalties are probably well-known as this was a strong trigger to start proper preparations, but instead of focusing on penalties, let’s concentrate on business. GDPR is a fact, and regardless of your opinions, feelings, approvals, it is binding and raises numerous doubts. Thus, being GDPR compliant is also a business necessity, considering that right now most people running companies are more trustful if you provide the necessary GDPR documentations.
3. What does data processing mean?
Don’t underestimate the things which are obvious about the GDPR and remember that this document is general. For, we should focus on what it provides and not what is missing. Among such things, one can find a comprehensive list of what data processing means. According to the definitions contained in article 4(2):
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Technically, the most important part is included in the first sentence, namely any operation. In fact, according to GDPR, anything you do with data constitutes processing — even storage in your backup, or keeping records in statistics. That is why, it is so important to be aware of what data processing means and be prepared to justify any action that you take in relation to EU personal data. Even if you’re not actually using collected data, but just keep it for “just-in-case” circumstances, you are still liable for processing the data. You can still store, organize, use, and in general, have data if you have a legal basis to support your actions — you can read more about this below.
4. When can I contact anyone after GDPR enters into force & what is the legal basis for data processing?
Given that GDPR is one of the biggest changes in previous years, there is still a high level of uncertainty surrounding it — various myths about how it functions and what changes it implies. If you’re performing any marketing / business / outreach activity, you should be aware of what a legal ground for data processing is. The list of legal grounds for data processing are included in art 6(1) of GDPR and mentions 6 major situations, namely:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Now, in case of marketing or outreach activities, most likely you’ll use either Consent or Legitimate interest.
The first legal ground refers to the consent — it means that the person you’re about to contact (process this person’s data) gave his/her consent. This situation is very often used in case of subscription lists, such as newsletters. Be careful to collect the consent in a GDPR compliant way where, among others, the most important legal ground is to have explicit consent for a specific activity. Simply speaking, the person should be aware of what he/she is agreeing to. Furthermore, consent needs to be very precise; general statements and stretches are not welcomes here.
Moving forward, the second most used legal ground for marketing activities is legitimate interest. It indicates that you’re contacting the person because this constitutes your vital interest to do so and that you provide an adequate level of safety during data processing. Here, it is important to mention Recital 47, which gives an example of legitimate interest (ex. marketing communication).
The legal grounds that you choose to justify your processing activities depends on your legal policies and the legal routes you decide to take, for this you should evaluate your processes carefully before you start.
New Obligations Under GDPR.
GDPR brings into life some new obligations concerning what you should do/inform about. This part may be particularly important to your business, if you use email communication to contact your potential customers and especially, if you use legitimate interest as your legal ground! Here below, we highlighted 4 of what we consider to be key obligations.
1. You should inform the data-subject about who you are
Anyone who receives communication should have a clear picture of who is sending the message.
2. How the data-subject can contact your business in case of data deletion/correction/return requests
This part is very important as it covers how you can be reached. In case of data deletion requests, we can compare it to an ungraded unsubscribe obligation which requires you to delete data. You can fulfill this obligation by simply adding your contact email in the signature with a clause stating something as follows:
“If you wish to stop us from processing your data, let us know by sending an email to firstname.lastname@example.org”
The good thing about GDPR is that it does not provide forms, so we an activate our creativity about how is can be implemented.
Remember that once you’re asked to delete data, you should delete them from all the places where the data is stored.
3. Storage limitation
This part is a tricky one as GDPR does not mention nor specify a deadline for data processing and it requires you to do so. But in practice, what does it mean? Simple. You’re the one to decide the time of data processing and for how long to store the data. But again, this is strictly linked to your policies and/or any other legal obligations.
Check the following examples to have a clear picture.
- You collect data because you provide a service and you send invoices for the payment of the service. These invoices may contain personal data. However, you’re probably obliged by your national legal system to keep invoices for a defined period of time;
- You conduct recruitment procedures in your company. You may inform the candidate that their data shall be stored until the end of the recruitment process;
- You contact people due to marketing purposes. You may inform them that if they do not reply, their data will be stored for 30 days before it is deleted.
Please have in mind that those are only examples so you should always consider each of your cases individually.
4. Purposes of the processing, categories of personal data concerned, recipients of their data
You should simply inform the data-subject about the purpose of data processing and what personal data is used during the course of your business activity.
What About My Company Internally?
If after reading the previous sections, you are still unclear about what you should do internally, please check some ideas below to inspire you and give you some courage to implement the necessary steps:
1. Evaluate your processes
Being GDPR compliant is a challenge — we know this. To start this journey, you need to be aware of your data flow within the company. If you don’t know how to start you may try to simply write down areas of your company where it is possible that you process some personal data (HR, employment, marketing, outbound, finance, etc.). Once you have this done, ask yourself some simple questions like:
- Do I need all data which I currently have?
- Who can access this data?
- What are my security measures?
- How do I authorize data access?
- Do I know which legal grounds I can use to justify the data processing activities?
It may seem trivial, but remember that all these pieces of information will allow you to prepare a good impact assessment or records of processing. After you have this done, you may start elaborating procedures for specific departments/districts of your company.
2. Is it necessary for me to sign a DPA?
If you’re located within the EU, you will most likely need to sign a DPA or an equivalent clause.
3. What about my webpage?
GDPR is a challenge, undoubtedly. But instead of focusing on the dark side of its implementation, let’s try to keep this in track and turn it into a strong business advantage!
Check the following links for more insightful resources and guidelines.