The General Data Protection Regulation was passed on the 25th of May, 2018, and is meant to ensure greater data transparency and security by allowing customers more control over their data, and simplifying the legal environment in which businesses operate.
An overview of the most relevant terms
To start, the GDPR concerns both personal data and pseudonymous data. Personal data refers to any information that can personally identify a customer. This data can include other elements that can be used in combination to identify a person, such as address, ID number, health info, biometric data, genetic data, sexual orientation, political views, and others. IP addresses, and cookie data do not fall into this category, surprisingly.
Pseudonymous data refers to the same data elements mentioned above. However, if the combination of data elements does not identify a person, it is not protected by the GDPR. The problem comes when the data points to a pseudonymous account that can be linked to a real person using encrypted data, or other processes. In this case, the data is protected by the GDPR.
GDPR grants customers the Right to Erasure, which means that any customer can ask a business to delete any information they have on them. The legislation also applies globally, to any company that processes or controls personal data of citizens within the EU. On top of that, any data currently held by a company has to be proven to be consensual. In other words, all data that was gathered before the legislation came into effect will have to be removed, if there is no proof of explicit consent.
The legislation requires companies to have a Data Protection Officer, who is in charge of ensuring compliance with the GDPR. The role will also be responsible for the company’s data protection strategy, performing routine privacy audits, responding to data subject requests, training employees in data compliance practices, and other related tasks.
The GDPR also refers to data controllers and data processors. Data controllers are the company employees that use personal data. In most cases, this can be the sales or marketing team, but it can include any other team that works with customer databases or company contacts. Data processors are the employees who collect, record, modify or store personal data. This could refer to accountants, cloud storage providers, payroll functionaries and others.
It’s worth mentioning that the legislation stipulates a “legitimate interest” in case of data that was gathered non-consensually. This legitimate interest clause covers situations in which a data subject could reasonably expect to have their data processed.
The GDPR does put some extra weight on the marketing department, and it may lead to some data loss if the data was collected without explicit consent. Outside of that, companies have to ensure that customer data is very well protected and that data handling processes are audited. The Right to Erasure may also come into play at some point, depending on how many customers a company keeps track off.