The General Data Protection Regulation (GDPR) is the legislation that is coming into effect on the 25th May 2018. It is a new EU regulation that is attempting to unify how countries in the EU approach data protection and the security of personal information. UK is very much included in this new regulation, despite Brexit, as any country that wants to trade with countries in the EU must be compliant.
The GDPR aims to give citizens of the EU greater control over their own data, and to give them confidence that their personal information is being protected by the companies they choose to give them to.
The fines for breaking the rules are considerable: 4% of global annual turnover or €20 million, whichever is higher. Many businesses are looking to put standards in place now, as it is going to be a significant change.
Personally Identifiable Information (PII) has been given a much broader definition under GDPR.
In the words of the regulation, personal data is “any information relating to an identified or identifiable person” and it includes:
- Email addresses
- Bank details
- Updates on social networking websites
- Location details
- Medical information
- Computer IP addresses
The GDPR also introduces the idea of “pseudonymous data”, which has been subjected to various technical measures that render it no longer directly able to identify an individual. Session IDs and customer reference numbers fall into this category that will need to be pseudonymised effectively if they are to be used in profiling or other processing activities.
Pseudonymised data is currently used in advertising to tie user’s actions together. Cookies and mobile OS identifiers are a good example. This kind of data allows some relaxations of GDPR’s provisions, if the organisation reviews its level of security and makes adequate risk assessments.
Pseudonymous data lost in a breach is more secure, as without the method for retrieving the details of the data, it is much more difficult to work out who the individual is, and so draw value from it.
Organisations can process pseudonymised data more too. They can use it in profiling as it is unlikely to cause harm to a data subject.
What can your company do?
In order to sign up for communications from your company, prospects will have to fill out a form or actively tick a box and then confirm they would like to sign up in a second email. The consent to be communicated with must be recorded and time stamped in case the data collection is questioned in the future. The process to unsubscribe must be simple and instant.
Third Party Vendor Code