As you make plans for 2018, be sure to include proper preparation for the General Data Protection Regulation (GDPR) that will take effect on May 25. Every month up until May we will release a post that will help guide you through all the details of what the GDPR is, who it affects, how to make sure you’re compliant, and more. This first post we’ve created is a quick introductory course on the basics of GDPR.
Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.
Introduction to the General Data Protection Regulation
As an advertiser, publisher, or anyone dealing with customer data, it is vital for you to have a robust compliance regime in place. Although the General Data Protection Regulation (GDPR) may involve you having to make changes to your data processing policies, it also presents an opportunity. It gives businesses the chance to enhance compliance and demonstrate to their customers that their personal data is in safe hands, especially in at a time when privacy is a key concern. Here are some basic GDPR insights, particularly for those businesses involved in marketing, to help you get to grips with what the GDPR is and how it might impact your business.
Basic Information on What the GDPR is
The GDPR is the overall regulation on the protection and handling of personal data for the European Union (EU). However, even if your business isn’t based in the EU, you may still need to be GDPR-compliant (find more information below). Those who aren’t compliant can be fined up to 4% of global turnover or €20,000,000, whichever is greater. For marketers, the differences between the GDPR and current UK data protection regulations include, but are not limited to:
- New and strengthened rights for individuals
- New obligations for data processors, as well as controllers
- Increased territorial scope
- Broader definition of ‘personal data’
- Increased accountability
- Breach notification
Although Your Business isn't Based in the EU, You May Still Need to be GDPR-Compliant
A quick way to know if you are required to be compliant is by answering a few questions:
- Does your business collect, use, or processes personal data from individuals in the EU?
- Does your business offer services or goods to people in the EU?
- Is an office of your business in the EU?
- Do you monitor individuals in the EU?
Below we've created a flowchart to help you find out if you're required to be GDPR-compliant. For the full image, click here.
What's Required to be Able to Use Individual's Data from the EU
The GDPR sets out the need for each data processing activity to have a ‘legal basis.’ This means that if you process personal data, it must be based on one of the following conditions:
- Consent – The individual has given clear, informed agreement to the processing of their data.
- Contract – Processing a person’s data is necessary to fulfill a contract.
- Legitimate Interest – Processing an individual’s personal data is strictly necessary for the business. For example; to prevent fraud or because of a criminal investigation.
- Legal obligation and public interest – Processing personal data is necessary to comply with a legal obligation or to carry out a particular task in the public interest.
for Creating the GDPR
Currently, the data protection directive of 1995 is in place and the GDPR will replace it. The European Parliament, the Council of the European Union and the European Commission implemented the GDPR regulation with the intention to give consumers more control and visibility of how their personal data is collected and used. In general, there are six data protection principles set out in the GDPR that each processing activity must comply with.
- Fair and transparent – A person needs to know why and how his or her data will be used
- Purpose limitation – Data can only be used for the reason it was collected.
- Data minimization – No more data can be collected than necessary for its purpose.
- Storage limitation – If the data is no longer necessary, it must be deleted.
- Confidentiality and integrity – Data must be stored in a secure manner.
- Accountability – Compliance with the data protection principles must be provable.
What We at Rakuten Marketing Are Doing
Everyone, including us, should be working towards being GDPR-compliant before May 25. For over a year, we have worked on
- Integrating our global parent company’s Binding Corporate Rules (BCR) scheme.
- Creating a robust compliance program.
- Creating and updating audit schedules.
- Providing additional training to our employees focused on the GDPR and other privacy laws overall.
- Implementing features to complete our ISO 27001 certification.
- Modifying our product development lifecycle to include privacy by design.
- Securing data processing agreements with our vendors and our customers. This includes data transfer agreements to meet the regulatory framework(s).
- Reviewing and updating our policies as appropriate.
Stay tuned for our future blog posts that will give further explanation of all the above sections and bullet points, including our four-phased strategy compliance module.
A version of this blog post originally appeared on our UK site which you can read here.