Are you already prepared for the new EU General Data Protection Regulation?
In May 2018, the new General Data Protection Regulation (GDPR) will come into force, a Europe-wide implemented, harmonised data protection regulation. It will be directly applicable law in all EU member states. Only minor differences are expected possibly through so called ‘opening clauses’. Marketing companies/advertisers, in particular, should have already obtained information to be prepared.
Strictly speaking, GDPR has already been in force since May 2016, but thanks to a transition period, marketing companies/advertisers are only obliged to apply the regulation to its customer data from 24 May 2018. According to the General Data Protection Regulation, marketing companies/advertisers, publishers as well as technology platforms have to get explicit permission from their customers before they can use their data. They also need to be able to provide information at any time, for what purpose the customer data is used for.
Image 1: DS-GVO has been in force since 25 May 2016 and will apply in EU member states in 2018. Source: Bitkom
In Germany data protection achieves a new quality standard through DS-GVO
In comparison to other countries, not everything will change fundamentally in Germany when GDPR comes into force. The EU has recreated some of GDPR’s foundations from German law. This applies in particular to the previous principle of the “Prohibition with the Right of Permission”. Accordingly, all types of processing of personal information is forbidden until the legislator explicitly permits processing or the person concerned gives their explicit consent. The new GDPR also maintains the elementary principles of data protection – data minimisation and transparency.
The purpose principle will also remain. This means that personal data can only be collected for “specified, explicit and legitimate purposes”, which opposes an unlimited use of data in terms of Big Data. GDPR (Art. 6) mentions only a few exceptions of the tight purpose specification (eg data use in research). There will be a few changes regarding Big Data for global players such as Microsoft and Facebook. From May 2018, the ‘principle of the market location’ applies instead of the domicile principle. This means that during disputes, the laws of the country applied in which the companies had their head office seat. Those businesses, who want to continue to offer services to EU citizens, now need to strictly observe GDPR as implemented in the respective target country. This explicitly includes free services from companies such as Google, Facebook or Microsoft. In future, companies from third countries are also encouraged to name a representative for the EU, who would act as a point of contact for parties concerned and regulatory authorities.
EU General Data Protection Regulation: The Right to be Forgotten
Article 12 of the new regulation also sets stricter information duties. Companies have to inform users about the legal basis regarding data processing and how long data is stored. There is also a disclosure requirement regarding the data storage length or data transfer to third parties. These information duties come along with rules concerning information, revocation as well as erasure. Individuals are entitled to erase data, which is known as the “Right to be Forgotten”. In contrast to the “Right to Block” of personal search engine results postulated by the European Court of Justice, the GDPR refers to erasure directly at the place, which is storing the data. In future, there is even a duty for businesses, which had previously published data about a person, to also inform other places, which had also processed the data, about the erasure entitlement of the individual person.
This new EU General Data Protection Regulation is not a re-invention of existing data protection rights, it only has a new emphasis. From 2018 onwards, marketing companies/advertisers face more duties and risks. They not only have to be knowledgeable about where, when and which data is being processed, they possibly also have to document their processing activities (see Art. 30 GDPR).
EU-DSGVO: How to best prepare Companies
How would you best prepare for this new general data protection regulation? Primarily, organisations should be aware, which type of data processing takes place in their operation. For example: 1) When processing and storing staff data, is the data handled on behalf of a third party? 2) Is there collaboration with subcontractors, who we possibly transmit data to?
This first, brief analysis demonstrates to many marketing companies/advertisers, that more data is processed in their organisation as previously thought and that this is not only limited to staff data. Also, many organisations will realise, that they use service providers, who process data on their behalf. This can be a complex outsourcing project or a simple software solution.
Image 2: The new GDPR provides challenges to advertising businesses. Companies should for example adjust their privacy statements and develop a documentation regarding data processing activities. Source: Bitkom
Following the analysis, there should be control and evaluation of the data processing. And following the data flow audit, any company processing data, has to appoint a data protection officer (Art. 37 ff. GDPR). In addition, a data protection impact assessment/ privacy impact assessment (PIA) has to be developed for any type of data processing (Art. 35 GDPR) and to check if existing order processing agreements, data protection notices and consents comply with the new regulation.
Not only company-internal processes relating to data handling have to be documented and evaluated, but also if all the GDPR regulations are complied with, for example during tracking of a website. German companies, in particular, don’t seem to be aware of its urgency. According to a worldwide survey by Veritas, which questioned around 900 senior staff from Europe, Asia and America, almost half of the German respondents did not seem to be prepared for GDPR, even though the regulation is only one year away (48 percent). This put Germany at the bottom of the league in the EMEA region. The risk of non-compliance is now considerable. In the past, fines have been rare. However, the fines outlined in article 83 and 84 of GDPR offer a whole new dimension in the data protection world. The figures mentioned are around 20 million Euro or 4% of the worldwide turnover. And beware – there will be people out there, looking for opportunities and ready to take court action.
EU Data Protection Reform & Privacy Shield: https://www.bitkom.org/Themen/Datenschutz-Sicherheit/Datenschutz-Sicherheit/Inhaltsseite.html
EU General Data Protection Regulation: https://www.bitkom.org/Themen/Politik-Recht/EU-internationale-Politik/EU-Datenschutzgrundverordnung.html
Data Protection Regulation: What businesses need to do: https://www.haufe.de/marketing-vertrieb/online-marketing/datenschutzgrundverordnung-was-unternehmen-tun-muessen_132_411504.html
General Data Protection Regulation: What is changing: https://www.haufe.de/marketing-vertrieb/online-marketing/datenschutzgrundverordnung-die-aenderungen_132_411052.html
Poorest Performer Germany – Businesses are badly prepared for the General Data Protection Regulation: http://blog.wiwo.de/look-at-it/2017/04/25/schlusslicht-deutschland-unternehmen-schlecht-auf-datenschutz-grundverordnung-vorbereitet/