#GDPR – The 6 Commandments

Strategy Consulting 23 April 2018

GDPR, or the General Data Protection Regulation, will be enforceable as of May 25th of this year. Is your company not yet in compliance with this new European regulation? Do you still have some questions after multiple meetings with your lawyers?

The GDPR doesn’t have to be a disaster! Au contraire, it can be the opportunity to strengthen the relationship of trust between your company and its clients, and to master your data. This regulation will be applied to all 28 countries of the European Union, and seeks to better protect personal data. It has been designed to respond to evolving customer behaviours, which are rapidly changing due in particular to the digital revolution, and will protect citizens’ rights to protection of and access to their data. User trust and data security are two essential strategic elements for healthy and sustainable brand development. Users are increasingly concerned about the security of their private lives and their data on the Internet (the Cambridge Analytica/Facebook scandal is a good example!), and they must be able to take back control of their personal data. Many companies, across industries and departments, use personal data for their recruitment, prospection, and targeting strategies. However, companies still don’t know where to begin. No panic! Here are six principles to abide by in order to understand GDPR!

1. Thou shalt seek consent

The first pillar of GDPR is often overlooked on the internet: data can only be processed if the person it concerns has given explicit consent. Opting-in, though generally applied for emailing campaigns, must be more generally used for all types of collected data. However, consent is not the only legal way to process data. Legitimate interest or a contract between the company and the user also constitute possible frameworks for data processing.

For transparency, user consent must be obtained for each separate use that processed data will serve. For example, the user accepts that a company uses his or her data to receive a newsletter, he or she does not necessarily accept that data be shared with a partner.

Informed consent

The GDPR defines consent of the user as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Source: GDPR, Chapter 1, Article 4, 11

2. Thou shalt communicate information

Even before obtaining user consent, the company in charge of data processing must be able to communicate clear information about how the data will be used, so that users can exercise their rights.

How is my data collected? Where is it stored, and for how long? Can I transfer my data from one player to another by invoking my right to portability? If I change my mind, do I retain the right to be forgotten? Basically, companies must be able to tell users how much control they will have over their personal data.

Additionally, information must be presented in an easily understood manner, without going into too much technical or legal detail for example. This means that professionals must develop clear and informative messages to explain their data treatment policy as well as possible to users. This information must also be easily accessible. Transparency is the magic word!

3. Thou shalt define purposes and restrictions

The purposes of the collected data must be specified by the processing company ahead of time. It goes without saying that uses must be both legitimate and explicit. A “reasonable” length of time must be defined for data use and storage. According to the ICO’s “Guide to data protection”, “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.” For example, if a company has not heard from a prospect for three years, his or her data must be erased.

4. Thou shalt respect accuracy

Collected data must be accurate, and kept up to date where necessary. Inaccurate data must be deleted from the company’s records. This is a principle abided to even beyond the EU: in 2015, the United States Supreme Court found that an individual had the right to sue public record search site Spokeo after the company was found to have published an erroneous consumer profile of the individual based on inaccurate data. Inaccurate data can indeed harm consumers. This is why company that processes data is also responsible for keeping it up to date.

5. Thou shalt prioritise security

Security risks are one of the biggest challenges in the digital landscape of today. The idea is to, on the one hand, put measures in place that guarantee user data security, and on the other hand to define clear and efficient procedures to limit damages in case of hacking or data leaking. There have been multiple personal data leaks recently on social networks: Snapchat in 2014, Uber in 2016, Instagram in 2017, and even Facebook in 2018. No one is safe!

6. Thou shalt assume thine responsibilities

The last, but certainly not least, founding principle of GDPR is the data processing company’s responsibility, which includes being able to prove at any time that its data and processing procedures are valid and in compliance, from collection to analysis. This principle is particularly important as it is considerably strengthened by legislation in comparison to the 1995 Data Protection Directive.
European regulation calls for the nomination of a sole representative to be responsible for this task within the company, who can advise decision makers and data processors: the Data Protection Officer.
The non-respect of these principles can incur heavy sanctions. Fines can reach €20 million ($22.1 million), or 4% of worldwide revenue. Better to be safe than sorry!

To summarise:

For more tips on preparing for the GDPR, check out the official ICO guide here.