If you have been putting off establishing or reviewing your company's data and security policies because you think GDPR will not impact you, it is time to think again.
GDPR regulations went into effect on May 25, 2018.
Research indicates that only 20% of US, UK, and EU companies are fully GDPR compliant. Thirty percent of companies have not begun to create their GDPR compliance policies, much less implement them. Disregarding GDPR is a risky proposition.
As of November 15, 2020, Tessian reported that:
- Google received the biggest fine so far in 2020–€50 million ($56.6 million).
- Over 220 fines have been handed out for GDPR violations in the first 10 months of 2020.
- The total amount of fines issued so far in 2020 exceeds €175 million ($240,289,875 million).
- Between 2018 and 2019, the average number of fines issues per month increased by 260%.
- July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced–a total of 45.
- Misdirected emails have been the primary cause of data loss reported to the Information Commissioner’s Office (ICO).
GDPR is a regulation that enforces the protection of the personal data and privacy of EU citizens for transactions that occur within EU member states. GDPR applies to all countries worldwide. Article 3 of the GDPR, which defines the law's territorial scope, states that it not only applies to companies in the EU/EEA, but also to companies outside of the EU/EEA that serve (or track the data of) EU/EEA residents.
Additionally, the global pandemic has shone a light on both the need to protect individuals' private data and the ability share data safely without fear of further endangering people and businesses due to cybercriminal activity "when it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.”
Cybercrime during the pandemic has grown at an alarming rate as evidenced by these recent headlines:
Global Cybercrime Surging During Pandemic "Interpol: Fraudsters Shifting Focus to Governments, Health Infrastructure, Corporations"
New Security Gladiators Report Details Shocking Cybercrime Trends Emerging During the COVID-19 Pandemic Security Gladiators, a cybersecurity news publication, released an in-depth report detailing shocking cybercrime schemes, cases, facts, and statistics emerging during the COVID-19 pandemic.
Global leaders, scientists, and medical professionals are in agreement that the pandemic must be addressed with a unified global approach in order to be successful. GDPR is leading the way for the same type of global initiative to address data security and combat cybercrime.
As you familiarize yourself with the basics of GDPR, consider approaching data security with these steps:
- Assess your companies data security and privacy policies.
- Increase and update them as needed, according to your industry's most recent privacy regulations.
- Repeat steps 1 and 2 regularly.
LMG always recommends consulting your lawyer for legal advice.
The remainder of this post will step you through what GDPR is by outlining:
- The essential terminology for a basic understanding of GDPR
- GDPR’s data protection principles and an illustration of each
- The lawfulness basis for processing data as defined by GDPR with examples written in straightforward, non-legalese language.*
GDPR replaces the Data Protection Directive (1998) that was designed to protect personal data stored on computers or in an organized paper filing system. That directive was put in place to protect the individual's legal right to control information about them. Most of the Data Protection Directive did not apply to domestic use, for example, keeping a personal address book; rather it was designed to establish that anyone processing and controlling personal data for other purposes was legally obligated to comply with this Directive protecting the individual’s right to privacy.
Fast forward 20 years and GDPR picks up where the Data Protection Directive left off in an entirely different data universe, birthed from the vast advances and expansion of technology in the day-to-day lives of individuals. Below are core components of the new regulations. Everyone processing and controlling data on individuals will need to update their collection methods, policies, and mechanisms for gathering, securing, and retaining data. Those individuals in the EU whose data has been shared or collected are empowered by the GDPR to maintain control over their data. It is reasonable to expect global adoption of these regulations as influential organizations comply and assimilate.
Before diving into the the core components of GDPR, let's define three key terms central to understanding GDPR.
Controller - The natural or legal person, public authority, agency, business, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Example: The marketing and IT team of an organization seeking data from potential customers for their business
Processor – The natural or legal person, public authority, agency, business, or other body that processes personal data on behalf of the controller
Example: The automated marketing platform a business uses to attract visitors to their website and generate leads through a contact form
Processing – Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction
Example: The organization of data collected via a telephone call, a website form, or an in-person visitor by a business in a CRM
GDRP Data Protection PrinciplesPersonal data shall be:
- Processed lawfully, fairly, and in a transparent manner
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those stated purposes
- Adequate, relevant, and limited to what is necessary to achieve the purposes for which they are processed
- Accurate and kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate or unnecessary to achieve the purposes for which they are processed are deleted or updated without delay
- Maintained with systems that will identify the data that is no longer necessary to achieve the purposes for which it was processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures
Example: Prior to submission of a website form being completed, the purpose of the data collection must be provided in clear language and in an obvious format. The website visitor must acknowledge that they have been provided with that information before submitting their data.
Example: Once data has been submitted via a website form, the data must not be used for any purpose(s) other than the specific purpose indicated before the visitor submitted the form.
Example: The website form cannot request any data that is not necessary to achieve the purpose(s) other than the specific purpose indicated before the visitor submitted the form.
Example: Data gathered via a website form will require follow-up with the visitor to confirm accuracy of the data submitted and allow for it to be corrected.
Example: A manual or automated review of the data collected via website forms to determine whether it is necessary to continue to hold the data to achieve the specific purpose(s) indicated before the visitor submitted the form is required. If the data is no longer needed to achieve the purpose(s) for which it was gathered, GDPR requires that it is deleted unless the visitor explicitly permits otherwise, for example, to maintain purchase history.
Example: All data processed in accordance with GDPR through a website form must be stored in a secured environment. Companies will need to employ methods to ensure the security of the data appropriately per the standards of their industry.
GDPR Lawfulness Basis for ProcessingProcessing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Example: On a website form, after being presented with the purpose of the data collection in clear language and an obvious format, the website visitor elects to share their data via the form submission.
Example: A website visitor contracts to purchase products or services and completes a form to facilitate that transaction.
Example: A website visitor elects to provide information via a website form to allow the business to complete a transaction or service that requires certain data to meet a legal obligation such as a sales tax exemption number to abide by tax laws.
Example: A website visitor elects to provide information via a website form to allow the business to complete a transaction or service that requires certain data to meet a legal obligation such as a birthdate to determine that the visitor is of legal age to request the transaction or service.
Example: A website visitor provides information on a form to inform county officials of data that would qualify/disqualify them to participate as a juror.
Example: A business collects data via a GDPR-compliant website form, organizes the data for compliant storage, and utilizes the data to deliver information or other services to the website visitor per the stated purpose of the data collection at the time of the form submission.
These are the basics of GDPR provided to help you begin the conversations, preparation, and implementation necessary for GDPR compliance particularly with respect to digital marketing. As the internet community reacts and adapts to these privacy regulations, we will continue to explore the topic in future posts. There is significantly more to GDPR compliance than what has been outlined in this post. We strongly encourage more in-depth research and seeking legal advice as you address your business's needs to become GDPR compliant.
Want to learn more about how data privacy impacts your sales and marketing efforts? Contact LMG
This information is not the same as legal advice, where an attorney applies the law to your specific circumstances. We strongly recommend that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. This disclaimer is explicitly stating that you may not rely on this website post as legal advice, nor as a recommendation of any particular legal understanding.
Editor's Note: This post was originally published in April 2018 and has been updated for accuracy, relevancy, and comprehensiveness.