It was in April 14, 2016 when the much awaited EU GDPR was adopted in the EU stage. After the recent day’s vote in the plenary session through the EU Parliament, GDPR has become an EU law and it will apply directly in every EU country, replacing the national and EU data protection legislation. The companies would be given a 2-year transition period starting the day that GDPR was released within the Official Journal of the EU in the succeeding couple of weeks. GDPR is forming another data security landscape in EU with stricter requisites as well as higher fines for a foreseeable future.
This has been anticipated to be extremely influential in some other parts of the globe, influencing the way that international businesses are operating. GDPR would be more effective in spring 2018. Businesses must use its time in reviewing their existing practices, begin preparing for the implementation of GDPR and conduct the gap analyses.
The New Data Protection Landscape in EU
This is an outline of the major elements of GDPR direct marketing which are pertinent for businesses:
- Broader Scope – GDPR would apply to data process activities of the data controller or data processor that has been established within the EU. Aside from that, this will be applicable to all data controllers as well as data processors that were all established out of the EU in which their processing processes and activities relate to offering of services and goods to individuals in EU or in the monitoring of EU individuals’ behavior. It means that GDPR would apply virtually to every business that serves or targets individuals inside the market.
- Personal Data Concept – under GDPR, the IP address, location data and the online identifiers will constitute personal information in many cases since this data can be utilized in identifying individuals when integrated with those unique identifiers. Personal data pseudonymization has been considered as the security measure that is utilized in limiting the danger of singling out a person throughout the processing period. Aside from that, biometric data and generic data are both recognized as confidential data that requires further protection.
- Processors, Data Controllers, and Joint Controllers – GDPR would introduce some obligations for all data controllers, joint controllers and data processors. Direct obligations would be imposed on the data processors for personal data protection. A data processor could be fined as well for non-compliance with GDPR. Data processing agreement will have a particular minimum on the content as well as conditions for consistent processing would be strengthened. The joint controllers would need to allocate the responsibilities and duties between them through similar agreement or contract. Irrespective of those terms of the agreement, people would be capable of exercising their privileges against every controller.
- Data Breach Alert – GDPR is introducing a general data breach alert requisite which would apply across the industry sectors and will need data controllers to notify the competitive supervisory authority in 72 hours after becoming aware of the data breach, unless they could provide you the reasoned explanation for delay. When the breach possibly result to risk for the freedom and rights of the individual, data controllers would also need the obligation to inform individuals of the breach with no undue delay.
- One-stop Shop – for the companies that are active in different countries in EU. The GDPR would permit them to gain the crucial point of implementation by means of one-stop shop machinery. The supervisory authority of main establishment or of the single establishment of a data controller or data processor in EU would act as the number one supervisory authority.
- Consent – it must be freely given, informed, specific and an unambiguous sign of the intention of an individual, either through the statement or through a vivid affirmative action, agree to the processing of the personal data. GDPR is putting emphasis on the truth that processing must not be created conditional in the consent of the individual. GDPR is also providing protection within the context of the personal data of children through strengthening the cogency condition of the kid’s consent.
- Profiling – GDPR would strengthen the security of people against any probable negative effect of profiling through giving them the privilege not be the subject to an automatic decision making process that produces some legal effects regarding the person. Apart from that, profiling which involve sensitive and confidential personal data has been prohibited unless it is carried out with clear consent of people or when the profiling is needed for reasons of substantial public interest. Stricter information duties when carrying out profiling would be applicable.
- Privacy Notices – under GDPR, data controllers should take some measures in providing people with valuable information about personal data processing.
The General Data Protection Regulation or GDPR would apply to every business that is inside and outside Europe which deals with the personal data of all EU individuals. The business must take advantage of a 2-year transition period for preparing for an increase and a boost in their data protection duties and advance their respective programs for privacy compliance. Undoubtedly, GDPR is aiming to form a more robust and mature data protection landscape in EU that would help in building data security in the everyday programs of businesses.
Proconnect Marketing has been at the forefront of implementing the new GDPR rules and is committed to compliant marketing practices to ensure our clients operate within the law.