Nov 6, 2018
Back in 1999, marketing guru Seth Godin wrote that “permission marketing is the privilege (not the right) of delivering anticipated, personal and relevant messages to people who actually want to get them”, in his groundbreaking book ‘Permission Marketing’.
These words rang true then as they do today and summarize the basis for the change in the way organizations are expected to process our personal data.
“It’s 18 years since that book was first published. The world has changed a lot in that time: not only technology, but business models, people’s attitudes to their data, and their demand that their information is properly looked after. This is the root of the GDPR: a modernization of data protection law. But the principle that cultivating consumer trust is central to business – and indeed to much of the services offered by the public sector – is as valid as ever,” said Elizabeth Denham, UK Information Commissioner writing in the ‘Journal of Data Protection & Privacy’.
Implemented in May 2018, the General Data Protection Regulation – or GDPR for short – applies across the European Union and it fundamentally changes the way people can share information about themselves and their preferences with organizations that process their personal data.
For all private, public and voluntary sector organizations, this is a game changer. What we’re being asked to do is to reboot our thinking about data protection and privacy for the digital age.
The concept of personal data has been given a makeover and now covers almost anything that can identify you and me. Not just your name or the MAC address of your mobile, but even the sports team you support. All of this is now protected personal data.
People now have more power to shop around using their personal data. We can compare prices online by sharing our bills for things like electricity and save money by switching suppliers.
We’ve got more power to access personal records being held on us and make sure that they’re up-to-date. And if this isn’t the case, we have the right to get this changed. This includes adding more information so that the record isn’t inaccurate.
At the end of the day, we’ve got a lot more power and a lot more choices at our disposal. Our ultimate power is to give as well as take back consent to processing of personal data.
The cornerstone to all of this is the Data Privacy Notice we’re entitled to receive, regardless of the legal grounds for processing. It’s an absolute right you and I have under the GDPR, and on that basis it’s very important.
All companies – large and small – must up their game if they want to do business with us. That means we’re entitled to a Data Privacy Notice that spells out in ordinary language what they’re going to do with our data and how they’re going to make sure no harm or damage happens to us as a result.
Ignore all of this and companies could face a significant sanction and fine that could be as much as 4% of global annual turnover or €20million, whichever is greater.
Worse still, you could be slapped with a ‘Stop Order’ that will effectively stop you in your tracks from running your business, as you won’t be allowed to continue to process customer data, on a temporary or permanent basis.
The GDPR applies to all organizations in the private, public and voluntary sectors that process personal data and special personal data, irrespective of whether that processing takes place in the EU or in any other country, wherever that may be.
It takes what’s known as a ‘risk-based approach’ to processing our personal data, never forgetting that we own it and they control and process it. And this applies whether it’s for business or for pleasure. We’ve the right not to suffer any harm or damage from this personal data processing.
From an operational perspective, as a professional you must make sure you know how to mitigate very high risks in processing this stuff and reduce this to a residual risk that’s acceptable for what you do in your industry or sector.
You’ll be expected to carry out appropriate technical and organizational safeguards that reduce very high-risk processing of personal data and reduce this to a residual that doesn’t cause harm or damage to customers, clients, supporters and employees.
Meet these new benchmark standards and you’ll be world class in how you secure the most precious asset for your business or organization – the data of your customers, clients, supporters and employees.
Get this right and there are significant advantages that include strengthening trust and confidence, as well as creating a powerful point of differentiation for your brand, your products and your services.
Think of this as being important because of your reputation and creating competitive advantage, rather than looking at this through the narrow lens of regulation.
The GDPR is designed to rebuild the trust and confidence of individuals which has been shattered and in many cases broken because of the misuse of their personal data, or organizations not looking after it properly which could have resulted in harm or damage.
One of the aims of the GDPR is to harmonize data protection laws by creating a consistent approach that impacts the lives of over 500 million people in the EU.
The responsibility for compliance with the GDPR is now shared between the company we are doing business with (the Data Controller) and the organization that it may outsource that personal data processing to (the Data Processor).
This becomes an important strategic commercial relationship, as under the GDPR both are jointly and severally liable when things go wrong. So both have their necks on the line!
And in some cases, you could be acting as both the Data Controller and Data Processor. So understanding the capacity under which personal data processing is taking place is extremely important.
Recording what you’ve done to mitigate the very high risks in your processing activities is important for two reasons. First, it’s about transparency. And second, it’s about accountability.
These are two rivers that flow through the GDPR and should also flow through every organization that needs to comply with it.
Should you have the misfortune to have to deal with a personal data breach, having applied the principles of transparency and accountability will serve you well. It’ll be much easier to understand what happened, to take affirmative action much more quickly and protect your customers from any further risks of harm or damage to their personal data.
This type of responsible behavior will be acknowledged by the Supervisory Authority in taking a view on the level of culpability for the personal data breach.
Where lessons haven’t been learned from previous data breaches or ‘near misses’ then organizations can’t expect any mercy.
And it’s not just about the fines, but also the damage that doing nothing or not enough can cause to the organization’s reputation in the eyes of its customers and stakeholders, leading to a loss of trust and confidence all round.
Although the GDPR is an EU Regulation, it’s impact will be felt around the world. It has a much wider territorial reach than the previous Directive 95/46/EC and Data Protection Act 1998.
It applies to a Data Controller or Data Processor that’s processing personal data in the context of the activities of an establishment in the EU. And this is irrespective of whether that processing takes place within an EU Member State or elsewhere. Therefore, a call center or a cloud service provider in India that’s processing personal data of individuals in the EU will be subject to the GDPR.
Personal data processing involves several parties, but to keep things simple, let’s think of it in terms of a value chain in the shape of a triangle.
There needs to be a living individual to whom personal data relates. For example, this could be a customer or employee. They’re called the Data Subject.
Then there’s the person, company or organization that wants to process the personal data of that individual. This party makes the decision as to the purposes and means of processing personal data. And it’s called the Data Controller. For example, this could be an online retailer or bank.
Many large companies and organizations use an external third party to process personal data, such as call centers or cloud service providers. This separate legal entity is called the Data Processor. This party must only act on the express written instructions of the Data Controller. Quite often this Data Processor may work with other sub-Data Processors and this would extend the value chain.
It’s the Data Controller’s responsibility for making sure there are technical and organizational measures in place at each link in the value chain to comply with its duties and responsibilities under the GDPR.
A critical one is reporting a personal data breach to the Supervisory Authority within 72 hours of finding out this has happened. This is extremely important, as data protection and privacy is only as strong as the weakest link, so the Data Controller must be sure that it has everything in place to comply with the GDPR.
It’s also very common for the same company or organization to be both a Data Controller and a Data Processor.
So it’s important to identify the capacity in which personal data processing is taking place in order to fulfil the duties and responsibilities under the GDPR.
As a rule of thumb, there are more duties and responsibilities placed on the shoulders of the Data Controller than the Data Processor. But there’s also joint and several liabilities for a personal data breach under the GDPR.
It’s important that agreements are looked at as soon as possible, as the Data Processor must guarantee that it complies with the GDPR. And the Data Controller can only use a Data Processor that provides such a guarantee, otherwise that’s also a breach of the GDPR.
In circumstances where there’s a Joint Data Controller relationship, then there must be an arrangement between both companies with respect to reporting obligations to the Supervisory Authority.
Think about the GDPR as an opportunity to build deeper relationships with customers, clients, supporters and employees.
For companies and organizations in any sector, it provides a route-map to build trust and confidence in the digital world where this may have been eroded or destroyed in the past.
When it comes to processing personal data, this can now be done in a highly transparent and accountable way, which helps prevent harm or damage to the personal data in the future.
Gone is narrow self-interest and the ruthless pursuit of profit at the cost of taking risks with personal data. In its place is putting the rights, freedoms and interests of your customers first. It’s about doing the right thing because it’s the right thing to do.
This creates a basis for future prosperity and success, whether the organization is large or small, public or private.
Once the Data Controller has commenced personal data processing, there are seven fundamental rights that can be exercised by the Data Subject. The overarching principle contained in the GDPR with respect to fundamental rights of the Data Subject is based on the right to check the accuracy and completeness of their personal data being processed by the Data Controller (Art.15, GDPR). This legal right extends to correcting their personal data and adding to it in order that the processing doesn’t impact their rights, freedoms and interests (Art.16, GDPR).
The GDPR is a risk-based approach that enhances data privacy and protection. It applies to all organizations that process personal data from the EU, regardless of whether they’re located in the EU. In the long term, the GDPR will help organizations build their credibility as well as deeper trust with their customers, clients, supporters and employees.
For individuals, the GDPR creates a global standard for personal data protection and privacy. This enhances the credibility of all those organizations that demonstrate compliance and increases the confidence of those that want to share their personal data with them.
Basic human rights are protected under the GDPR, alongside the expansion of competition and greater consumer choice – but not at the expense of putting personal data at risk. It’s now much simpler to track what personal data is being processed, by whom, for how long and for what purposes.
Customers, clients, supporters and employees can feel much more in control of their digital existence than at any other point in history. They can also feel far less intimidated about sharing their personal data and provide consent to its use to a much wider range of organizations, with the confidence it won’t get abused.
Organizations that match their words with deeds under the GDPR will find they’ve created the basis for a much deeper level of trust and confidence.
And they’ll have earned the reputation they rightfully deserve.