Never before has a four-letter acronym struck such confusion, panic and fear into the hearts of businesses than GDPR, forcing questions like; What is GDPR? Does it affect us? When does it go into effect? What happens if we’re not compliant?
But fear not, I’ll hopefully be able to settle some nerves with this post.
What on Earth is GDPR?
The EU General Data Protection Regulation is a piece of legislation that has been approved by the EU parliament and is designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations approach data privacy.” Basically, to ensure better protection of people’s personal data and to make sure that personal data is safe and is not used without the owner’s consent.
The aim is to protect all EU citizens from privacy and data breaches and acts as an update to the last data directive which was established in 1995. Remember 1995? Spice Girls, Oasis, John Major as UK Prime Minister, Bill Clinton as President of the United States.
The change in data handling both in terms of volume and process has changed staggeringly in businesses since 1995, with electronically stored databases now becoming the norm for data storage.
I think it’s time there was an update!
The main components of GDPR are as follows:
- Increased Scope & Jurisdiction of Legislation – This applies to all companies processing the personal data of people residing in the EU, including any company overseas that processes data of EU citizens.
- Clear Consent – Companies can no longer use lengthy terms and conditions full of legal terminology that could potentially confuse. Consent must be clear and distinguishable from other matters and be provided in an intelligible and easily accessible form using clear and plain language. The user must not be confused and must be told exactly what their data is being used for.
- Mandatory Breach Notification – If anyone who shouldn’t have access to data suddenly gains access, you need to let everyone involved know as soon as you find out.
- Transparency – People that have provided data or “data subjects” have the right to know whether or not their personal data is being processed, where it is being processed and why it is being processed. The data subject must also be provided with a copy of their data free of charge in an electronic format.
- Right to Be Forgotten – Data subjects have the right to be forgotten. This entitles the data subject to have the data controller erase any of their personal data that is being held and stop any processing of that data.
- Data Portability – This enables the data subject to request and receive a copy of their data and have the right to pass that data to another controller.
- Privacy by Design – Data controllers must design systems like databases or registration systems which include implemented data protection measures and strong protection for data. Data processed must also be limited to only data that is absolutely necessary. It must also limit the access of data to only those needing to process.
- Data Protection Officer – Some controllers may require a Data Protection Officer to manage and monitor the data processing to ensure compliance with GDPR. This is only mandatory to those whose processing activities consist of operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or criminal convictions and offenses.
How does it affect brands that capture data through their sponsor partnership activations?
Sponsorship activation guest programmes rely on the collection and processing of large amounts of personal data. To run a successful programme, we need this plethora of personal data that can range from guest names, to next of kin details, to address details, to dates of birth. We just wouldn’t be able to run programmes without this data.
What we must bear in mind:
- Only collect and process data that is necessary for the programme. If the data is not needed or justified, then we should not be collecting it.
- Only store data for as long as we need it. Data should be deleted as soon as it is no longer required.
- Make guests clearly aware of why and how we are using their data.
- Make guests aware that they are able to request a copy of their data that we hold and that they can request to be deleted from our databases or registration systems if they so wish. The process to request this must be simple and easy for them to understand.
- Most brands and agencies use third party suppliers to process their data such as guest management system builders and software designers. We need to make contact with these suppliers and ensure they are GDPR compliant. They need to be able to prove and explain how they store and process data and what lengths they have gone to secure and protect this data including who is able to access this data. They need to be able to store and process data in a responsible and secure way that falls in line with the regulation.
- GDPR isn’t just relevant to online and electronic databases and registration systems. If you collect, process or store personal data in any way your processes need to be compliant. This could be collecting personal guest data on a spreadsheet, via email or even on a piece of paper. We need to consider every way we handle personal data, how safely it is stored, and who is able to access this data.
When does it take effect?
The GDPR directive will take effect from 25 May 2018. However, it will be applicable to any data that is collected and is still stored on this date.
What happens if we’re not compliant?
The maximum fine for being in breach of GDPR once it takes effect is 4% of annual global turnover or €20 million, whichever is greater. That is the maximum fine that can be imposed and is for the most serious offenses. Yes, it’s pretty steep! However, there is a tiered approach to fines so not all offenses will result in a €20 million shortfall. The good news to all of this is that the EU is taking data protection seriously which will result in safer processes for all involved.
Yes, most of us need to collect, store and process personal data to do our jobs. However, we must not forget how many companies have access to our personal data and are processing that data right now. If everyone becomes GDPR compliant and operates within the GDPR framework, it will guarantee that our data is handled in a safer way and will definitely help me sleep better at night.