From May the 25th, the new General Data Protection Regulation(GDPR) will come into force and all advertisers targeting EU recipients will have to comply with the new rules aimed at protecting individuals personal data.
The Information Commissioner’s Office (ICO) has decrypted the obligations advertisers will be subject to when the new regulation comes into force.
1. Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent
You should review how you seek, record and manage consent and whether you need to make any changes.
Refresh existing consents now if they don’t meet the GDPR standard.
8. Children
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation
11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
12. International
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
Get prepared for GDPR with 12 steps guide published on the ICO’s website.
Important Information
Is my organisation subject to GDPR?
The GDPR does apply to both organisations located within the EU but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.
If my organisation fails to comply with GDPR, what happens?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Does my organization need to appoint a Data Protection Officer(DPO)?
A DPO must be appointed in the following cases: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization does not fall into one of the previously listed categories, then you do not need to appoint a DPO.
For more information regarding the General Data Protection Regulation, please refer to the European Commission website.