GDPR – Building on Strong Foundations
It has been 20 years since the existing Data Protection Directive for the European Union was introduced.
In that time, everything has changed – the types of data being created, the processes used to capture and govern it,
the systems used to manage, analyze and deploy it. Organizations which already respect the core principles of the
law should be well placed to adapt to the Regulation. The expansions and enhancements which it introduces will
need careful handling, however.
Data is more personal – GDPR simply expands the definition of personal data to cover almost anything that can
identify an individual, such as where they are (location), what content or apps they are consuming (behavioral),
what device they are using (device ID). Unstructured data, such as customer comments, reviews, blog posts,
customer service notes, account management emails, even internal messaging, also needs to be governed.
More access and consent – In addition to existing rights, such as access and rectification, individuals gain
enhanced rights,including the ability to withdraw consent, to move personal data to another provider and even to
request data is deleted.
European, everywhere – Any data subject in the European Union can expect these rights to be protected
regardless of where their data is held or processed. When data is transferred outside the EU, these rights
follow so moving personal data between territories will need to be done with care.
End-to-end responsibility – As well as respecting GDPR as an organization, data controllers have to
validate that their business partners (data processors) are also working to the Regulation. Both parties
carry obligations to ensure data security and there are new duties around reporting data breaches.
New data duties – A range of new requirements are introduced, most notably the obligation to have a
Data Protection Officer, but also the adoption of new data governance strategies and a risk-based approach.
Stronger enforcement - Authorities are central to ensuring GDPR is enforced, most notably the potential
ability to impose a lower level fine (up to €10 million, or 2% of the worldwide annual revenue) or an upper
level fine (up to €20 million, or 4% of the worldwide annual revenue).
For more information visit gdpreu.org.
Key steps on the journey
The intention of GDPR is to provide a greater balance between legitimate business interests and the rights of
the individual's data. Addressing this through a creative, transparent and enabling approach is the key to
meeting the new demands of the Regulation and to finding new value from a sustainable, governed data asset.
Admail has identified some key steps for organizations to consider when pursuing residents of the EU:
Governance – Central to GDPR is cross-functional involvement in the way personal data is captured, processed,
managed, secured and deployed. This starts at a strategic level through the adoption of Privacy by Design.
Explaining to individuals in a clear, transparent way why their data is needed, how it will be used.
Rights and processes – With data subjects given enhanced rights, such as consent withdrawal, portability,
and deletion, alongside their existing rights, such as rectification and Subject Access Requests, significant
development may be required to ensure these are delivered. Technical solutions will have a key role to play,
alongside revised strategies.
Data – Data flows across organizations from every business process and channel as well as from the outside,
via digital marketing, distribution partners, and other market contact points. If your business model is fundamentally
based around this flow of personal information, then a data discovery and audit program are essential. Mapping which
data types are in use, where they are held and whether they are sensitive will describe the landscape through which the
organization has to journey in order to meet GDPR.
Data security – Keeping personal information secure is critical to the data protection mandate. As well as
protecting a valuable business asset, data security should also form part of the promise made to customers, who are
increasingly concerned about their personal risk from data breaches and losses. Investing in proper data security can
be the competitive differentiator in the post-GDPR era of trust-driven relationships.
Finally, be assured Admail and our partners have taken all necessary precautions and measures to ensure your customer
data is safe, secure, and compliant with GDPR regulation.