It, Legal, Marketing and sales departments are all affected by the European Union's General Data Protection Regulation (EU GDPR). EU GDPR is more than an IT governance issue, it impacts the IT architecture and the user journey of your online and offline data capture processes.
Boost Fertility New Invention Ups Success Rates.pdf
GDPR Changing Mindset
1. GET INTO
THE GDPR MINDSET
IT, legal, marketing and sales departments are all
affected by the European Union’s General Data
Protection Regulation (EU GDPR). EU GDPR is
more than an IT governance issue, it effects the
IT architecture and the user journey of your
online and offline data capture processes.
2. Do you know why you are collecting data? Why are
you collecting the data? Is it to own data to sell it, to
license data, to optimise processes, or profile data to
sell products based on profiles of consumers?
There are a lot of legal choices and automatic rights
individuals will gain under new GDPR, and designing
data management processes to be compliant by
default is written into the legislation. The regulation
covers organisations in the EU, and the use of
personal data about EU citizens by anyone in the
world. If your organisation stores information about
an EU citizen, you need to comply, regardless of local
laws, or you risk being prevented from trading with the
EU.
As companies in the coming months update data
protection and privacy policies and procedures we will
see the market reshape how data is processed, stored
and protected and become its own regulator from May
25, 2018.
3. How
business
mindsets
will change
with GDPR
GDPR is a regulation that
harmonises data privacy
laws across Europe and
has been hailed as the most
important change in data
privacy regulation in 20
years.
The legislation, which
comes into force on 25th
May 2018, will protect and
empower all EU citizens in
terms of access to personal
data and reshape the
way organisations across
the region approach data
privacy.
4. Six principles of GDPR
GDPR is a long-term outlook for companies to regulate the
data collected, processed and analysed about consumers. If
collectively the company can design the data management
architecture in line with GDPR, and partner with companies who
are already GDPR compliant, you’ll only have to do it once to be
set for May 2018.
Accountability is at the core of GDPR. Article 5 of the regulation
outlines the six core principles of what personal data should be,
and how the data controller will be responsible for, and able to
demonstrate, compliance with all six principles.
5. 1. Processed lawfully, fairly and
in a transparent manner in
relation to individuals;
2. Collected for specified, explicit
and legitimate purposes and not
further processed in a manner
that is incompatible with those
purposes;
3. Adequate, relevant and limited
to what is necessary in relation
to the purposes for which they
are processed;
4. Accurate and, where
necessary, kept up to date;
every reasonable step must be
taken to ensure that personal
data that are inaccurate are
erased or rectified without delay;
5. Kept in a form which permits
identification of data subjects
for no longer than is necessary
for the purposes for which the
personal data are processed;
6. Processed in a manner that
ensures appropriate security of
the personal data.
6. Do GDPR
right the
first time
round
GDPR requires a lot higher
standard of consent compared
to the current regulation.
Incorporating this into your
everyday work life will ensure
you avoid a fine of up to €20
million Euros or 4% of
global turnover (whichever
is higher).
Every department needs
to follow the principles and
every department needs to
understand, or have access
to, the rights of consumers.
7. What to
consider
when
gaining
consent
• Opt-out consent is no longer an
option
• A person has to opt-in
• You have to prove that you
have consent
• A person has the right to
withdraw their consent at any
time
• Has to be freely given for
example a download of content
cannot be dependent on
consent
• Specific and informed, what is
the data going to be used for
• Unambiguous, clear consent
form with binary options and
switching technical settings
away from default
9. Business concepts GDPR
has changed
Unambiguous consent
One of the headline rulings is the introduction of ‘unambiguous
consent’ before consumers’ personal or behavioural data can be
used for marketing purposes.
By building a strong starting point for consumers and companies,
unambiguous consent will give consumers confidence knowing
what data is collected, why, and what companies do with the data.
10. Transparency and consent
Permissions must be given for the use of information provided
and individuals must consent to the sharing of their personal data.
Individuals have the right to submit a Subject Access Request
whereby the company must share a copy of the individual’s
information.
The information includes whether any personal data is processed
about them, what it is and reason why it is processed and if it will
be given to any other organisations or people.
30-day deadline
Companies have a 30-day deadline from receipt of a Subject
Access Request to deliver a copy of information outlined in the
“Transparency and consent” section about the individual who
submitted the request.
11. Pseudonymization
A privacy enhancing technique
where information that
allows data to be attributed
to a specific person is held
separately so that person
cannot be identified without
additional information.
Pseudonymization allows
for personal data to be used
more liberally because the
data is only identifiable when
‘additional information’ is
added.
Personal data breach
Is a new communication law
that will be introduced for all
data controllers regardless of
their sector which relates to
unauthorised access and or
if an employee accidentally
alters or deletes personal data.
For example, there may
be ‘pseudonyzed’ data that
becomes identifiable. The data
controller then has 72 hours to
identify and report the personal
data breach to the supervisory
authority.
12. Data protection by design and default
This new concept means privacy should be a feature of the
product development at the beginning stages, rather than an
afterthought once the product design and user experience has
been explored. Get it right the first time, and you’ll only have to
do it once. Starting now and not days before the deadline also
ensures your company avoids violations of the GDPR regulation
while privacy policies are being updated.
Enhanced rights
Contacts have the right to be forgotten, as well as data portability
rights and the right to object to automated decision making. Data
portability means that an individual has the right to gain access
to their personal data to use across another service. Automated
decision-making also means that a person can request human
intervention when decisions are being made using their personal
data.
13. Data has a new
definition
The definitions of “Personal Data” and “Sensitive Data” have
been expanded. Personal Data means data which relate to a
living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the
possession of, or is likely to come into the possession
of, the data controller and includes any expression
of opinion about the individual and any indication of
the intentions of the data controller or any other person
in respect of the individual.
Sensitive Personal Data means personal data consisting of
information as to –
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within
the meaning of the Trade Union and Labour Relations
(Consolidation) Act 1992)
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any
offence, or
(h) any proceedings for any offence committed or
alleged to have been committed by him, the disposal
of such proceedings or the sentence of any court in
such proceedings.