Scroll to top of page

GDPR: The 6 Commandments

GDPRGDPRThe GDPR (General Data Protection Regulation) is the latest European regulation on personal data protection, which was enacted in 2016.Learn more, or the General Data Protection Regulation, will be enforceable as of May 25th of this year. Is your company not yet in compliance with this new European regulation? Do you still have some questions after multiple meetings with your lawyers?

The GDPR doesn’t have to be a disaster! Au contraire, it can be the opportunity to strengthen the relationship of trust between your company and its clients, and to master your data. This regulation will be applied to all 28 countries of the European Union, and seeks to better protect personal data. It has been designed to respond to evolving customer behaviours, which are rapidly changing due in particular to the digital revolution, and will protect citizens’ rights to protection of and access to their data. User trust and data security are two essential strategic elements for healthy and sustainable brand development. Users are increasingly concerned about the security of their private lives and their data on the Internet (the Cambridge Analytica/Facebook scandal is a good example!), and they must be able to take back control of their personal data. Many companies, across industries and departments, use personal data for their recruitment, prospection, and targeting strategies. However, companies still don’t know where to begin. No panic! Here are six principles to abide by in order to understand GDPR!

1. Thou shalt seek consent

The first pillar of GDPR is often overlooked on the internet: data can only be processed if the person it concerns has given explicit consent. Opting in, though generally applied for e-mail campaigns, must be more generally used for all types of collected data. However, consent is not the only legal way to process data. Legitimate interest or a contract between the company and the user also constitute possible frameworks for data processing.

For transparency, user consent must be obtained for each separate use that processed data will serve. For example, the user accepts that a company uses his or her data to receive a newsletter, he or she does not necessarily accept that data be shared with a partner.

Informed consent

The GDPR defines consent of the user as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Source
GDPR, Chapter 1, Article 4, 11

2. Thou shalt communicate information

Even before obtaining user consent, the company in charge of data processing must be able to communicate clear information about how the data will be used, so that users can exercise their rights.

How is my data collected? Where is it stored, and for how long? Can I transfer my data from one player to another by invoking my right to portability? If I change my mind, do I retain the right to be forgotten? Basically, companies must be able to tell users how much control they will have over their personal data.

Additionally, information must be presented in an easily understood manner, without going into too much technical or legal detail for example. This means that professionals must develop clear and informative messages to explain their data treatment policy as well as possible to users. This information must also be easily accessible. Transparency is the magic word!

3. Thou shalt define purposes and restrictions

The purposes of the collected data must be specified by the processing company ahead of time. It goes without saying that uses must be both legitimate and explicit. A “reasonable” length of time must be defined for data use and storage. According to the ICO’s “Guide to data protection”, “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.” For example, if a company has not heard from a prospect for three years, his or her data must be erased.

4. Thou shalt respect accuracy

Collected data must be accurate, and kept up to date where necessary. Inaccurate data must be deleted from the company’s records. This is a principle abided to even beyond the EU: in 2015, the United States Supreme Court found that an individual had the right to sue public record search site Spokeo after the company was found to have published an erroneous consumer profile of the individual based on inaccurate data. Inaccurate data can indeed harm consumers. This is why company that processes data is also responsible for keeping it up to date.

5. Thou shalt prioritise security

Security risks are one of the biggest challenges in the digital landscape of today. The idea is to, on the one hand, put measures in place that guarantee user data security, and on the other hand to define clear and efficient procedures to limit damages in case of hacking or data leaking. There have been multiple personal data leaks recently on social networks: Snapchat in 2014, Uber in 2016, Instagram in 2017, and even Facebook in 2018. No one is safe!

6. Thou shalt assume thine responsibilities

The last, but certainly not least, founding principle of GDPR is the data processing company’s responsibility, which includes being able to prove at any time that its data and processing procedures are valid and in compliance, from collection to analysis. This principle is particularly important as it is considerably strengthened by legislation in comparison to the 1995 Data Protection Directive.
European regulation calls for the nomination of a sole representative to be responsible for this task within the company, who can advise decision makers and data processors: the Data Protection Officer.
The non-respect of these principles can incur heavy sanctions. Fines can reach €20 million ($22.1 million), or 4% of worldwide revenue. Better to be safe than sorry!

To summarise:

For more tips on preparing for the GDPR, check out the official ICO guide here.

Sources:
eMarketer, Western Europe Digital Trends for 2018
Official site of the CNIL authority

Translated from French by Niamh Cloughley.

Want to learn more? Get in touch!

23-04-2018

close legal

À propos

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a venenatis dolor, non ornare ligula. Nam ultricies elementum tellus, sed pulvinar libero egestas nec. Fusce facilisis nulla vestibulum, commodo neque eget, dapibus lacus. Aliquam neque felis, sagittis nec consequat sed, commodo ac ipsum. Sed neque tortor, semper quis viverra et, malesuada et eros. Donec at dui ut ligula pharetra aliquet. Etiam dapibus semper orci. Integer efficitur dolor tortor, nec mattis elit placerat vel. Ut nulla enim, lacinia in pharetra id, convallis vitae massa. Donec neque est, tincidunt non ullamcorper commodo, tincidunt non turpis. Pellentesque viverra enim a sapien placerat, ut volutpat mauris condimentum. Proin tincidunt sollicitudin dui, sit amet condimentum ante commodo a. Aenean posuere aliquam purus, sed aliquam magna sagittis finibus. Morbi molestie feugiat feugiat. Phasellus tempus in dolor vel maximus. Cras efficitur sagittis lorem porta iaculis. Maecenas sed hendrerit urna. In mattis posuere purus, sit amet placerat arcu posuere quis. Etiam nec arcu nec magna interdum maximus. Integer sit amet lacus neque. Curabitur interdum molestie magna, in scelerisque tellus iaculis sed. Sed nec metus ut purus efficitur laoreet a quis eros. Proin dui dui, dignissim eget risus sit amet, bibendum condimentum velit. Maecenas in justo eu elit eleifend consectetur. Aenean scelerisque fringilla sollicitudin. Nam sem nibh, pharetra nec lacus non, mollis interdum odio. Aliquam sollicitudin posuere nibh sed eleifend.

Édition

55 SAS, 5 — 7 rue d'Athènes

75009 Paris

+33 1 76 21 91 37

Hébergement

OVH SAS

2, rue Kellermann

59100 Roubaix

+33 8 20 69 87 65

Publication

Lan Anh Vu Hong

Crédits photo

Mats Carduner, Adobe Stock & Unsplash

Vous avez aimé nos nouvelles fraîches sur l'état du marché brandtech ? Inscrivez vous à notre newsletter