GDPR basics, that’s an oxymoron. Nonetheless, the goal of this post is to give our readers basic information about General Data Protection Regulation in simple language. It is a place to start. And start we must because these regulations go into effect on May 25, 2018. If you are under the impression that EU regulations do not concern you because you and your business are outside the EU, there is a slim chance that is true for now. However, it is unlikely to stay true for the long run.
This post will step you through what GDPR is by outlining:
- The essential terminology for a basic understanding of GDPR
- GDPR’s data protection principles and an illustration of each
- The lawfulness basis for processing data as defined by GDPR with examples written in straightforward, non-legalese language.*
GDPR replaces the Data Protection Directive (1998) that was designed to protect personal data stored on computers or in an organized paper filing system. That directive was put in place to protect the individual legal right to control information about them. Most of the Data Protection Directive did not apply to domestic use, for example, keeping a personal address book; rather it was designed to establish that anyone processing and controlling personal data for other purposes was legally obliged to comply with this Directive protecting the individual’s right to privacy.
Fast forward 20 years and GDPR picks up where the Data Protection Directive left off in an entirely different data universe, birthed from the vast advances and expansion of technology in the day-to-day lives of individuals. Below are core components of the new regulations. Everyone processing and controlling data on individuals will need to update their collection methods, policies, and mechanisms for gathering, securing, and retaining data. Those individuals in the EU whose data has been shared or collected are empowered by the GDPR to maintain control over their data. It is reasonable to expect global adoption of these regulations as influential organizations comply and assimilate.
Before diving into the the core components of GDPR, let's define three key terms central to understanding GDPR.
Controller - The natural or legal person, public authority, agency, business, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Example: The marketing and IT team of an organization seeking data from potential customers for their business
Processor – The natural or legal person, public authority, agency, business, or other body that processes personal data on behalf of the controller
Example: The automated marketing platform a business uses to attract visitors to their website and generate leads through a contact form
Processing – Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction
Example: The organization of data collected via a telephone call, a website form, or an in-person visitor by a business in a CRM.
GDRP Data Protection PrinciplesPersonal data shall be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those stated purposes
- Adequate, relevant, and limited to what is necessary to achieve the purposes for which they are processed
- Accurate and kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate or unnecessary to achieve the purposes for which they are processed are deleted or updated without delay
- Maintained with systems that will identify the data that is no longer necessary to achieve the purposes for which it was processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures
Example: Prior to submission of a website form being completed, the purpose of the data collection must be provided in clear language and in an obvious format. The website visitor must acknowledge that they have been provided with that information before submitting their data.
Example: Once data has been submitted via a website form, the data must not be used for any purpose(s) other than the specific purpose indicated before the visitor submitted the form.
Example: The website form cannot request any data that is not necessary to achieve the purpose(s) other than the specific purpose indicated before the visitor submitted the form.
Example: Data gathered via a website form will require follow-up with the visitor to confirm accuracy of the data submitted and allow for it to be corrected.
Example: A manual or automated review of the data collected via website forms to determine whether it is necessary to continue to hold the data to achieve the specific purpose(s) indicated before the visitor submitted the form is required. If the data is no longer needed to achieve the purpose(s) for which it was gathered, GDPR requires that it is deleted unless the visitor explicitly permits otherwise, for example, to maintain purchase history.
Example: All data processed in accordance with GDPR through a website form must be stored in a secured environment. Companies will need to employ methods to ensure the security of the data appropriately per the standards of their industry.
GDPR Lawfulness Basis for ProcessingProcessing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Example: On a website form, after being presented with the purpose of the data collection in clear language and an obvious format, the website visitor elects to share their data via the form submission.
Example: A website visitor contracts to purchase products or services and completes a form to facilitate that transaction.
Example: A website visitor elects to provide information via a website form to allow the business to complete a transaction or service that requires certain data to meet a legal obligation such as a sales tax exemption number to abide by tax laws.
Example: A website visitor elects to provide information via a website form to allow the business to complete a transaction or service that requires certain data to meet a legal obligation such as a birthdate to determine that the visitor is of legal age to request the transaction or service.
Example: A website visitor provides information on a form to inform county officials of data that would qualify/disqualify them to participate as a juror.
Example: A business collects data via a GDPR compliant website form, organizes the data for compliant storage, and utilizes the data to deliver information or other services to the website visitor per the stated purpose of the data collection at the time of the form submission.
These are the basics of GDPR provided to help you begin the conversations, preparation, and implementation necessary for GDPR compliance particularly with respect to digital marketing. As the internet community reacts and adapts to these privacy regulations, we will continue to explore the topic in future posts. There is significantly more to GDPR compliance than what has been outlined in this post. We strongly encourage more in-depth research and seeking legal advice as you address your business's needs to become GDPR compliant.
This information is not the same as legal advice, where an attorney applies the law to your specific circumstances. We strongly recommend that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. This disclaimer is explicitly stating that you may not rely on this website post as legal advice, nor as a recommendation of any particular legal understanding.
"General provisions." General Data Protection Regulation, Intersoft Consulting. Web. 4 April 2018
"Data Protection Act 1998." Legislation.gov.uk. The National Archives, 16 July 1998. Web. 4 April 2018
"Our Partners" eugdpr.org. Trunomi. Web. 4 April 2018
"Are you GDPR ready?" Hubspot.com. Web. 4 2018
"GDPR Product Roadmap Webinar." Hubspot.com. Web. 4 April 2018
"9 Examples of Lawful Basis for Processing under the GDPR."blog.focal-point.com. Focal Point Insights, February 21, 2018. Web. 4 April 2018
"All About the GDPR." searchengineland.com. CallTrackingMetrics, 26 March, 2018. Web. 4 April 2018