Part 1: What is GDPR, and What is All the Fuss About?
What is GDPR?
On May 25th 2018, the European Union General Data Protection Regulation (GDPR) will come into force throughout the European Union (EU) and European Economic Area (EEA). This new regulation has created a lot of discussion amongst data processing specialist both inside and outside the EU.
Like any new major regulation there has been a lot of fear, uncertainty and doubt being spread around, from the worry of potential new and rather dramatic increase in monetary penalties under GDPR to others saying that it will severely impact the way they will work in terms of sales and marketing. In 2017, the Irish Data Protection Commissioner was asked about her views on fining companies on non-compliance, and her views were clear.
“Yes. We have to be willing to. The legislature in Europe provided for fines up to that level because they believe in certain cases it may arise. Presumably, it would involve many users. But it’s absolutely the case that we will be imposing fines against big and small entities based on the issues that come across our desk and the areas of risk we identify. There’s nothing surer than this.”
For sales teams, there is a real concern that salespeople rely on personal data - often collecting it indiscriminately and keeping their own cache of contacts and leads, and that the way this data is handled will have to change with GDPR, impacting sales results.
As the GDPR rolls out across the EU, there are many people in the US and other countries starting to pay attention to its impact with increasing trepidation, with the likelihood of similar regulation becoming a global trend getting stronger and stronger.
Many organizations are asking themselves what the GDPR is all about, do they have to worry about its implementation, and most importantly, does the GDPR apply to them.
Let’s tackle the easiest answer first – who does GDPR apply to? If you are processing personal data and either (a) your company is “established” within the European Union (EU), (b) you are processing data on persons in the EU to whom you are offering goods or services, or (c) you are “monitoring” the behavior of individuals in the EU, GDPR applies to you. And don’t just think because you don’t have a subsidiary in the EU that this doesn’t mean you. “Established” normally means doing business in the EU through a branch or subsidiary, but the GDPR is clear that it is a substantive definition, not a formalistic one. So, if you have employees or contractors who work for you in the EU, GDPR could still apply to you.
Through that definition, it’s pretty likely that GDPR applies to you. Now let’s get to the bottom of what the regulation really is all about.
The easiest way to think about the regulation is that General Data Protection Regulation (GDPR) was designed to ensure that when personal information and data is used in an exchange, its always done in a way that puts the person making the disclosure in control.
Further, people or consumers should always have the right to no longer have their personal information used when they see fit.
Once you understand the purpose of GDPR, the next thing you need to do is to understand the syntax that is used in discussions about GDPR. You can read about the key terms at the GDPR website. But for this review, lets focus on a few key terms you need to understand.
CONSENT
The informed, unambiguous and freely given permission from the data subject to have data relating to him or her processed. This is obviously the key driver for GDPR.
PERSONAL DATA and SENSITIVE PERSONAL DATA
This tells you what kind of information you need to think about when understanding how the GDPR impacts you. The table below is a simple way of knowing what is personal data, what is sensitive personal data, and what is non-personal data.
ENTERPRISE
Natural or legal entity, including a person, who performs an economic activity, regardless of the legal form, including associations and partnerships. This means you.
PROCESSOR
The natural or legal entity or person, public authority, or other body that processes data on behalf of the controller. This is probably your software supplier if you use a 3rd party to create tools that your customer facing teams use, or it could be your business if you are using internally developed software.
DATA CONTROLLER
This is a person who decides the purpose for which any personal data is to be processed and the way in which it is to be processed. This can be decided by one person alone or jointly with others.
RIGHT TO BE FORGOTTEN
The right to erasure of personal data where there is no compelling reason for its continued processing.
DATA PROTECTION OFFICER
A Data Protection Officer is someone who is given formal responsibility for data protection compliance within a business. Not every business must have one, but most will.
The next step of understanding the GDPR is seeing how it all fits together in your business workflow. And whilst all businesses are not the same, let's use Widget Corp for our example and diagram.
Widget Corp is a business where GDPR does apply to their operations - or the Enterprise for GDPR. Widget sells solutions to other businesses. They have sales people in the field using software running on a mobile device that they use to take customers through their products, and then they share information using software.
For Widget Corp, there are a number of areas where GDPR does apply. When they engage with prospects through their sales teams, on their website, and use software (like marketing automation) to get personal details including name and email address and then collect information about how those people engage, they are collecting Personal Data and they are absolutely under the control of GDPR.
Widget is a Data Controller in that they control what happens to that Personal Data, and their software providers (that being external SaaS organizations or Widget themselves if they are using internally developed software) are the Processor.
Every time a Widget sales person gets the Personal Data from a prospect or customer, or they require information to engage with content on their website, Widget must get the Consent of the person. And should that person wish to exercise their Right to be Forgotten, its up to Widget Corp to ensure that their own systems and the systems of their software suppliers are able to exercise that request and remove the Personal Data of that person from their systems.
Part 2 of this Article will deal with how GDPR impacts the Sales Enablement team at Widget Corp and how they can adapt their systems to ensure GDPR compliance, and part 3 of this article will look at how Widget may have to adjust their activities in the USA as similar regulation looms on the horizon.
