The General Data Protection Regulation, also commonly known as GDPR, was approved by the EU parliament on April 14, 2016 and will be applied on May 25, 2018. This new EU regulation will set new rules to protect the personal data of EU citizens and companies will need to comply with it or face large fines. To help your company better understand what’s to come in May and how to best prepare to ensure you are compliant, I have interviewed Matthieu Huet, iAdvize‘s General Counsel, our very own in-house GDPR expert.
The GDPR aims at protecting citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the current EU directive was established. Although the key principles of data privacy are still true to the previous directive, many changes have been proposed to the regulatory policies such as new rights for data subjects, reinforced rights basically, and a lot of new obligations or requirements for both data controllers and data processors.
What about non EU residents?
This new regulation applies to the processing of personal data of data subjects who are in the European Union. This means the data subject is wider than a EU citizen or residence where no EU presence exists the GDPR will still apply whenever an EU personal data is processed in connection with goods or services offered to him or her or whenever the behavior of individuals within the EU is monitored.
What are the GDPR requirements and deadlines for businesses?
There are many new requirements for businesses. First, with the principle of accountability, which is a very strong new obligation, this is explicit obligation for the controller and the processor to be able to demonstrate and document their compliance with the GDPR. As far as the consent is concerned, it will be spelled out more clearly for data subjects. And for the data subjects, these are new reinforced rights such as access, rectification, restriction or right to be forgotten for example. When and where it will be applied? It will be applied as from May the 25th 2018.
Who’s impacted by this regulation?
Almost every single company in the world, to the extent that such companies are making business in the EU. Even though you’re not operating a SaaS technology if you process the personal data of your employees for example, you’ll have to comply with the GDPR so I would say a large range of companies are concerned with the GDPR.
Why, in your opinion, is it important for businesses to be GDPR compliant?
It is part of the social responsibility of each company to make sure that the privacy of their customers remains private! Data protection authorities will be entitled to impose fines up to 4% of the annual turnover or 20 million euros whichever is higher so obviously we all need to comply with the GDPR.
As you have been working these past few months to make iAdvize GDPR compliant what would be your tips for businesses that are also working to be GDPR compliant?
I would advise to create an internal taskforce and onboard key employees from almost every department. R&D but also representatives from Legal, IT or HR for example. The first step would be to make a privacy impact assessment and to be able to identify what kind of personal data your organization processes, the location of the servers and so on. This taskforce should also have a total liberty to work on these subjects. Since the GDPR requires that the DPO, so this is Data Protection Officer, should operate independently and without instructions from their employer of the way they carry out their tasks. That’s very important! The DPO and the GDPR taskforce should also have a total liberty to work on this subject.
Which best practices would you advise businesses to implement really before the 25th of May 2018?
Reviewing the way businesses work with their service providers by making sure that they do comply with the GDPR and that Data Processing agreements are properly in place. As for as the accountability principle is concerned, we’ll also recommend to set new GDPR privacy policies and documents as much as possible, the way personal data is processed across your company.
At iAdvize we’re working with digital and marketing managers what do they need to know about the GDPR?
The first thing is that they need to know that the GDPR also applies to marketing activities as the GDPR makes no distinction between a personal and business email address. So the GDPR will change the way marketers communicate with their customers. Marketing managers should think about new information notice for both Inbound and Outbound Marketing activities and implement for example a double opt-in process. It is very important to keep records of the subscribers who have opted in to your communications. The consent needs to be provable.
We’ve been talking about businesses over this Podcast but what about online users?
They will have reinforced rights and now they will have a clear and understandable information about how the website actually processes their personal data.
How will the requirements of GDPR impact the online user experience and according to you, will it be in a positive or negative way?
I strongly believe that this will have a positive impact on the online user experience although the GDPR sets new obligations for data controllers and processors, it is also clear that this will have no impact to the user experience of the data subjects so soon we will see a lot of businesses coming out with user friendly privacy centers and iAdvize is very committed to offering a more human and smooth interaction between websites and their online visitors.
I hope you’ve all learnt more about the GDPR and if you have any questions about this really important subject please comment on our comment section below. See you soon for another podcast!