On 25 May 2018 (sooner than you think!), the GDPR will be applicable in the European Union’s 28 member countries. The responsibility of organisations and subcontractors will be increased through new rules and obligations. Are you ready? Here is the latest with Alexandre Guénon,Direct Marketing Purchasing Manager at Altavia.
Some deadlines seem so far away and we wrongly think we have more time than we do… In just six months, the European Regulation of 27 April 2016 on personal data protection, initiated in 2012 by European Commissioner Viviane Reding, will take effect. According to France’s CNIL – the regulatory body that governs digital rights – the text should enable Europe to adapt to changing digital realities. “Non-compliance will be fined very heavily,” warns Alexandre Guénon, MD Purchasing Manager at Altavia. “The penalty is €20 million or 4% of global sales revenue, whichever is higher. That is some serious financial pressure to enforce all the new rules!”
The GDPR governs anything related to the handling of data, more specifically data that can identify a physical person (name, age, street address, IP address, telephone number, etc.). The rule applies to all organisations within the European Union, as well as those outside of it, who may be handling the data of European Union citizens: “The approach relies on three main focal points,” explains Guénon. “The risk, meaning anything related to data security, the rights acquired by individuals, and obligations in the event of data breaches.”
The rule sets two levels for involved parties: The “data handling manager,” the owner and manager of the database, and subcontractors, who use one part of the database from time to time on the request of the data handling manager.
Consent of individuals
Organisations’ obligations are invoked when new contact details are acquired. “Now, the agreement cannot be ambiguous and active involvement is necessary for the individual. On an online form, there could for instance be a box to tick to express consent,” Guénon continues. “In addition, companies will need to keep a record that states the date, time and means of agreement. These represent major changes in the acquisition of new contact details and will no doubt require data managers to be more exacting.”
Once contact details have been acquired, organisations must respect a number of constraints imposed by the GDPR:
–Data limitation: obligation only to collect strictly necessary data. “One example of data limitation is when a company wishes to send out a birthday email,” explains Guénon. “Whereas up until now, it had been customary to also ask for an individual’s birth year, only the day and month are now considered necessary.”
–Obligation for data accuracy
–Obligation to ensure data integrity and confidentiality
–Creation of a new position called DPO (data protection officer), the named contact for security and legal and IT matters
–Recording of all of the company’s activities through regular updates to a log describing stored data
The individuals concerned by the handling of personal data have the right to assert control over their personal information.
–The right to opposition, meaning that individuals can block their contact details from being reused, particularly for commercial purposes
–The right to access, rectify, and to request the deletion of personal data
–The right to portability, in order to transmit data to another company in a usable and legible format
Organisations must also ensure that their IT architecture is properly secured by conducting regular testing.
“In the event of breaches, the companies involved must warn the CNIL within 24 hours of the incident,” says Guénon. “Depending on the gravity of the incident, the end user may also need to be informed.”
These major changes to how data is acquired and managed involve all organisations that manage personal databases, whether it is collected for use by human resources, purchasing, or sales. So, are you sure you’re ready?