Guest post by Tanya Kennedy Luminati, MatrixMaxx Product Manager
There is a new acronym taking the world by storm right now: GDPR
If you’re in Europe, you’ve probably heard of this. If you’re here in the United States, you may not have heard it … yet. But the concepts of Privacy and Security that it champions are moving to center stage all over the globe, so it is important we all pay attention and start our process shift now.
What is GDPR?
The nations of the European Union (EU) take privacy very seriously, and each country previously had its own laws. The General Data Protection Regulation (GDPR) was approved by the EU Parliament in 2016 in order to unify the various data privacy laws across Europe. The EU has a dedicated website where you can read the full GDPR details, and it is quite a long read.
Who does GDPR apply to?
If you hold and process any Personally identifiable information (PII) in any of your systems for anyone living in the EU, this impacts you.
PII is any data that can be used on its own or with other information to identify a particular individual: name, phone, email, address, etc. Processing is just about anything you do with that data. Any type of marketing, for example, is considered to be processing. The GDPR states that you can’t process PII data unless you have lawful grounds to do so. The GDPR affects your systems, your processes, your data, your customers/members, your 3rd party vendors, and your partners.
Doesn’t GDPR only apply to European-based Companies?
No. It applies to any organization offering goods/services to EU residents. The EU refers to this concept as Increased Territorial Scope (extraterritorial applicability).
When do these new regulations go into effect?
GDPR actually started 2 years ago. However, enforcement doesn’t begin until May 25, 2018. So as the humans we are, everyone has waited until the last minute to grasp these new regulations with both hands.
What are the key facets of GDPR?
You must have grounds for the lawful holding and processing of data. These include:
- Fulfilment of a contract
- Legal obligation
- Necessary for interests of the individual or for the greater public good
Consent is getting a great deal of attention as marketing now requires explicit “provable consent” in order to be considered lawful under the GDPR. For example, if you haven’t explicitly asked an EU resident in your database if they’d like to hear about some of your upcoming events, you probably can’t lawfully market to this person!
Other important facets beyond the concept of lawful processing and consent include:
- An individual may request access to all of their personal data. This may include any information stored in your main database, including contact information, login tracking, clickthrough tracking in a 3rd party marketing system, transaction data, etc.
- An individual may request that their personal info be removed. (a.k.a. The Right to be Forgotten), meaning that they can request that their records be deleted or anonymized in such a way that it is no longer personally identifiable. (This includes data in backups and in any 3rd parties systems that may have acquired the data from you.)
- Data Breach Notification to certain authorities and individuals within particular timeframes.
Are Membership Organizations (Trade Associations, Professional Societies), Not-for-Profits, and Non-Profits exempt from GDRP?
No. They are not exempt.
But … Wouldn’t someone joining my association as a member be implicitly giving me lawful grounds to process their data?
Not necessarily. If they join as a member, it would probably be lawful processing to send them a confirmation of their membership, but you can’t start marketing association products and services to them without consent. This is an area where a GPPR consultant could be useful to you, if you have a lot of EU residents in your data or you actively market/appeal to persons living in the EU.
How is GDPR going to be enforced?
The penalties and fines, which will kick in starting May 25, 2018, are steep. There are obvious ways that EU-based organizations and foreign organizations with EU locations can be penalized. The question of how external organizations will be held to GDPR compliance is being discussed in a variety of articles and posts.
Next up, we’ll discuss how to become GDPR compliant. Stay tuned!
This is the first of severalMatrix installments on GDPR, Privacy, and Security. Please note: we at Matrix are not lawyers or GDPR consults; do not take this info as absolute. Use this information as a starting point in:
- Gathering the documentation, processes and tools you need to assess and support your obligations under GDPR
- Planning for a future where respect privacy and security are implicitly baked into our all our processes and systems, regardless of country