Direct response is notorious for its acronyms. A new one is being added to the mix next week. The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 in the European Union (EU) and will affect data security and impose restrictions on how organizations collect and handle the personal data of EU residents.
The GDPR will not only apply to organizations in the EU but will affect all organizations that offer goods or services to, or monitor the behavior of, EU individuals. More importantly for our industry and clients, the GDPR applies to all organizations processing and holding personal data of EU residents (including donors, members, grantees, customers, or program service recipients), regardless of where the organization is located. The GDPR will regulate the collection of personal data, defined as any data that identifies a “natural person,” with the goal of protecting the privacy rights of the EU public.
The key changes in collecting, storing, and handling EU resident personal data include:
- Personal Data Rights Expanded:
- EU residents will have the “right to be forgotten,” meaning they can request the deletion of all personal data, or request that data be transferred to another controller. The individual can request their information at no fee and the organization must provide details, such as recipients of their personal data and how long the data will be stored.
- Broadening of data definitions: “Personal Data” and “Data Processing”
- Personal data is broadly defined through the GDPR as any data of an EU resident that identifies a “natural person”. This can include online identifiers including IP addresses, images associated with an account or unique code, and especially “sensitive information” (race, political opinions, religious beliefs, etc.) or personal data belonging to children, which will have stringent requirements. The GDPR will also affect business-to-business data because the EU residents working at these companies are “natural persons”.
- Data processing will include “profiling”, meaning either the automation of personal data or the use of personal data to evaluate certain personal aspects relating to a natural person. The GDPR will require special compliance in the case of profile-based decisions for EU residents. In the final text, the GDPR states that “profiling for direct marketing purposes is less controlled.”
- Opt-In is the New Opt-Out: “Consent must be a positive action.”
- Organizations will be required to request consent from EU residents for every action they take involving their personal data. Consent must be “clearly distinguishable” in a written format using “clear and plain language”. Since an EU resident can request their information be deleted at any time, the duration of consent is determined by the individual.
- However, “opt-in” can be implied by necessity or for a “legitimate interest”, so an organization would have the right to secure an EU resident’s data to fulfill an obligation or expectation (e.g., securing a name and address for the fulfillment of a charity store purchase). The organization would not have the right to use this data for any other purpose, except for the necessary elements to complete the transaction.
- Third-Party Vendors: Organizations will be liable for the actions of their third-party vendors and compliance with the GDPR.
- Data Retention: It’s recommended that organizations delete all EU resident data which has not been “actively used” for two years. The GDPR recommends that organizations have a data retention plan and only keep data for a “reasonable” amount of time.
- “Pseudonymization” is a new concept in EU data protection law:
- “Additional information” must be kept separately and must not be attributable to a person without the need of technical or organizational measures.
- Cross-Border Data Transfers: Personal data transfers to a third country or international organization will be allowed for EU resident data with set conditions and an “adequate” level of data protection.
Although an EU regulation, the GDPR will affect how all US organizations and companies handle EU personal data, so it’s important that organizations have a GDPR readiness strategy. Many of our clients have been proactively working to make sure their organizations and the vendors they work with are prepared to comply with the GDPR regulations. The first step in compliance is to identify a core group within the organization to manage the readiness strategy and determine how EU resident data is currently being collected, stored, and handled. There are several measures that can be taken to make sure an organization is complying with the GDPR, including:
- Seek legal counsel
- At the time of consent, provide all possible methods of communication, as well as details on how the personal data will be processed
- Create a record of all processing activities and do a data mapping of all EU personal data
- Develop a plan of how your organization would provide an individual with their data, or delete all personal data if requested
- Confirm that the products and services offered are complying with GDPR requirements
- Review all personal data transfers and confirm the cross-border data transfer solution
- Review and revise policies if necessary, including an organization’s global data protection policy, security policies, website privacy policies, and insurance policies
- Update the global breach notification plan and confirm that you are able to provide notice within 72 hours
- Review vendor agreements in relation to processing EU resident personal data
- Consider appointing a data protection officer (DPO), either a current staff member or contractor, who will serve as the expert on data protection laws, provide advice on the impact, and monitor all processing operations
There’s still a question of how the GDPR will be enforced, but the fines for not following these regulations are steep (below) and organizations must notify people of a breech within 72 hours.
- The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher
- The lower fine threshold is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher
With the effective date only a few days away, there is nervous discussion around this topic but there are some potential positive outcomes as well.
- Increased donor/member loyalty through a transparent data security program
- Ideally, more accurate data will be housed because customers/donors/members will now have access to their personal data, as well as the opportunity to validate or correct their information
While this only applies to EU constituents now, we’re closely monitoring to see if the US moves in this direction. As always, let us know if you have any questions as you work through the ever-changing landscape of data security.
GDPR Full Text
Self-Certify as GDPR compliant through the Privacy Shield
DMA UK’s countdown to the GDPR
DMA US GDPR Compliance