The European regulation (GDPR) imposes on organisations of all sizes the respect of two major obligations : the protection of the personal data they possess on individuals (customers, prospects, partners…) and the respect of their rights (processing type, legitimate interest, access, rectification, erasure…).
If the second item (namely the individuals’ rights) ultimately results from a rational and justified data collection in most cases (legitimate purpose processing). The « marketing » use is bound by new rules. Before the GPDR, consent was implicitely presumed (for example for the use of website cookies). Now prior explicit consent is mandatory for marketing uses (double « opt-in » imposed on forms). You aren’t allowed to collect everything on anyone any more and each information request will have to be justified. Furthermore, the concerned individuals have a right of inspection all along the data’s lifecycle inside the organisation.
The rights of individuals have a lot of implications for the different departments collecting and using personal data on a big scale. As a matter of fact, data protection is essential for:
- accessing « production » data : the rise of cyberattacks and other data breaches represent a threat which is real and likely enough to happen, thus motivating the need for constantly updated security protocols
- sharing data outside « production », such as transfers, copies inside the organisation (or towards subcontractors), which is generally an environment lacking security
What are personal data ?
According to the regulation, personal data are « any information relating to a natural person (data subject) », data or a dataset allowing the identification (or re-identification) of a person.
The GDPR defines different levels of sensitivity according to the type of data: general data, health data, biometrics, etc. Detaining data classified in strong sensitivities requires the establishment of specific risk studies for the rights of data subjects (P.I.A. : Privacy Impact Assessment).
There are multiple reasons for data collection and multiple uses of this data. Each department of the organisation has specific needs (invoicing, marketing, contracts, analysis…). GDPR is not about putting constraints on business productivity, but rather about empowering everyone (users) in order to protect the digital privacy of the ones being « used ».
Since the processing of data naturally includes the processing of personal data, this is where compliance with the European regulation imposes itself.
Do you already have your DPO ?
Any public body or any company processing data on a large scale must appoint a data protection officer (DPO) responsible for the respect of customer’s rights. This DPO has to:
- have an exhaustive view of all personal data managed by the company
- inform data subjects on all the data regarding them
- answer data subjects’ requests for data modification or erasure
- ensure the legality of the data collected by the company
The DPO has the right to assess protection mechanisms and processing legitimacy. He or she is the contact person for customers with inquiries about their personal data and also for the national supervisory authority (CNIL in France, Authotirité Protection des Données in Belgium…).
GDPR is a major challenge for all organisations based in Europe. Managed with intelligence, the European regulation is a great opportunity for anyone who turns compliance into a profit center.