In that time, everything has changed – the types of data being created, the processes used to capture and govern it, the systems used to manage, analyze and deploy it. Organizations which already respect the core principles of the law should be well placed to adapt to the Regulation. The expansions and enhancements which it introduces will need careful handling, however.
Data is more personal – GDPR simply expands the definition of personal data to cover almost anything that can identify an individual, such as where they are (location), what content or apps they are consuming (behavioral), what device they are using (device ID). Unstructured data, such as customer comments, reviews, blog posts, customer service notes, account management emails, even internal messaging, also needs to be governed.
More access and consent – In addition to existing rights, such as access and rectification, individuals gain enhanced rights,including the ability to withdraw consent, to move personal data to another provider and even to request data is deleted.
European, everywhere – Any data subject in the European Union can expect these rights to be protected regardless of where their data is held or processed. When data is transferred outside the EU, these rights follow so moving personal data between territories will need to be done with care.
End-to-end responsibility – As well as respecting GDPR as an organization, data controllers have to validate that their business partners (data processors) are also working to the Regulation. Both parties carry obligations to ensure data security and there are new duties around reporting data breaches.
New data duties – A range of new requirements are introduced, most notably the obligation to have a Data Protection Officer, but also the adoption of new data governance strategies and a risk-based approach.
Stronger enforcement - Authorities are central to ensuring GDPR is enforced, most notably the potential ability to impose a lower level fine (up to €10 million, or 2% of the worldwide annual revenue) or an upper level fine (up to €20 million, or 4% of the worldwide annual revenue). For more information visit gdpreu.org.
The intention of GDPR is to provide a greater balance between legitimate business interests and the rights of the individual’s data. Addressing this through a creative, transparent and enabling approach is the key to meeting the new demands of the Regulation and to finding new value from a sustainable, governed data asset.
Admail has identified some key steps for organizations to consider when pursuing residents of the EU:
Governance – Central to GDPR is cross-functional involvement in the way personal data is captured, processed, managed, secured and deployed. This starts at a strategic level through the adoption of Privacy by Design. Explaining to individuals in a clear, transparent way why their data is needed, how it will be used.
Rights and processes – With data subjects given enhanced rights, such as consent withdrawal, portability, and deletion, alongside their existing rights, such as rectification and Subject Access Requests, significant development may be required to ensure these are delivered. Technical solutions will have a key role to play, alongside revised strategies.
Data – Data flows across organizations from every business process and channel as well as from the outside, via digital marketing, distribution partners, and other market contact points. If your business model is fundamentally based around this flow of personal information, then a data discovery and audit program are essential. Mapping which data types are in use, where they are held and whether they are sensitive will describe the landscape through which the organization has to journey in order to meet GDPR.
Data security – Keeping personal information secure is critical to the data protection mandate. As well as protecting a valuable business asset, data security should also form part of the promise made to customers, who are increasingly concerned about their personal risk from data breaches and losses. Investing in proper data security can be the competitive differentiator in the post-GDPR era of trust-driven relationships.
Finally, be assured Admail and our partners have taken all necessary precautions and measures to ensure your customer data is safe, secure, and compliant with GDPR regulation.