Written by Nabeena Malik on 27 february 2018
"This is an extract of the extensive article "The Ultimate GDPR Guide for Marketers and Businesses" published by Nabeena Mali in AppInstitute on 13 december 2017. We thank you Nabeena Malik for her kindly collaboration and her interest in sharing with our subscribers her deep knowledge about the european directive."
The General Data Protection Regulation was first proposed in 2012, and what followed was four years of discussions, debates, and amendments, with the regulation finally adopted by the European Parliament in 2016. Countries, companies, and organisations were given two years to comply, with the regulation being enforced from 25 May 2018. What originally seemed like a reasonable amount of time to prepare has passed quickly, and at the time of this writing, enforcement of the GDPR is barely 3-months away.
Much has already been written and discussed in the public domain regarding the GDPR, but still, many business owners are a little unsure of what the GDPR entails, and whether or not they are affected. With this GDPR guide, I hope to add some clarity, explaining what the General Data Protection Regulation is, which businesses it affects – and how – along with answers to some common questions frequently asked about the GDPR, and some steps you can take to move your business towards compliance.
We’ve seen how technology is disrupting industries both old and new: Uber and Lyft are disrupting transport, Netflix is disrupting how movies and TV shows are produced and consumed, and AI is threatening to disrupt every single industry in ways we never before thought possible. But technology also disrupts the laws and regulations implemented by countries, with the GDPR designed to replace a modern directive that itself was no longer sufficient: Directive 95/46/EC (a data protection directive).
The General Data Protection Regulation is, obviously, centred around data protection, but it doesn’t regulate all data protection. Instead, it is focused on the personal data of individuals, specifically individuals residing in any EU member state. It updates existing – and introduces new – regulations relating to the collection and processing of the personal data of any individual residing in any EU member state. And it doesn’t only apply to businesses and organisations with a physical presence in any EU member state. Businesses and organisations throughout the world will need to be compliant with the GDPR if they collect and process the personal data of any individuals residing in the EU.
The purpose of the regulations is not to make it more difficult for businesses to sell, market, or perform any of their normal business functions. Instead, it is designed to give individuals greater control over who collects and processes their personal data, what it is used for, and how it is kept safe.
It does this by first differentiating between personal data and sensitive personaldata, with personal data being any information which makes it possible to identify an individual – either directly, or indirectly. It includes data such as names, identification numbers, location data, and online identifiers. Sensitive personal data also makes it possible to identify an individual, but through an expanded scope of specific factors, including elements of their physical appearance, physiology, genetics, mental health, economic, cultural, or social identity. The collection and processing of sensitive personal data is not allowed, except under very specific circumstances, with additional requirements in terms of data safety.
Next, the GDPR refines the principle of consent, requiring:
There are provisions within the GDPR for times when consent is not necessary, but these all relate to very specific lawful bases for collecting and processing personal data.
The GDPR then clarifies the rights of individuals in terms of their personal data, broken down as follows:
The GDPR goes into great detail in relation to accountability and governance within businesses and organisations. This addresses matters such as:
Finally, the GDPR introduces new requirements for how personal data is processed to ensure security, along with requirements for how businesses and organisations need to respond to data breaches.
It is important to remember that the GDPR does not affect all businesses and organisations, only those who collect and/or process personal data, either of their clients, or on behalf of another organisation. If you don’t collect or process any personal data of individuals, you have nothing to worry about. And if you do, the primary matter you should be concerned about, is ensuring that you are fully compliant with the requirements of the GDPR. The GDPR should in no way prevent your business from continuing to operate, though it may force you to change some of your processes, making it more difficult to perform some tasks, but never making it impossible to operate.
The heavy fines possible under the GDPR are not meant to harm businesses, but rather to serve as a deterrent against relevant businesses and organisations from ignoring the regulations, and putting the personal data of individuals at risk.
But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organisations, and individuals, and whether or not this will change over time.
The short answer is, yes. As an individual, the GDPR prescribes when and how organisations and companies can process or control any personally identifiable data relating to you. And if you are part of an organisation or business that processes or controls personal data of any EU individual, the GDPR prescribes when you may do this, and how you should do this. That means that the GDPR doesn’t only apply to businesses and organisations with a physical presence in any EU member state, but also those that offer goods or services to citizens of any EU member state, even if they have no physical presence in the EU.
The General Data Protection Regulation (GDPR) will most definitely affect all forms of cold calling, including cold email marketing. The GDPR sets a high standard for consent, placing an emphasis on leaving the individual (the prospect/customer) in control, and building trust and engagement.
Proper consent under the GDPR means the following:
You should regularly review your records of consent, making sure nothing has changed in terms of the relationship, the processing of the data, or the purpose of the consent. Refresh as necessary.
Will the GDPR affect B2B?
The GDPR specifically applies to individuals, so in the context of B2B relationships – existing and new – the impact of GDPR will depend on the contact information you use to communicate with your B2B clients. Whenever your contact information includes personal data, you would need to follow the regulations relating to explicit – and recorded – consent to opt-in. This would extend to also include regulations regarding data protection.
If, however, your records only include generic contact information (a contact number or email address with no name attached) you don’t necessarily have to record explicit consent, but you must make it easy for the company or organisation to opt-out, and keep a record of this.
"This is an extract of the extensive article "The Ultimate GDPR Guide for Marketers and Businesses" published by Nabeena Malik in AppInstitute on 13 december 2017. We thank you Nabeena Malik for his kindly collaboration and his interest in sharing with our subscribers his deep knowledge about the european directive."
Canada: Please call +1 844 315 4805.
Monday to Friday: 09:00 am - 19:00 pm for immediate assistance. Currently, it is Monday 09:30 am in Rivière-Rouge.