Recently, the European Commission (EC) approved and adopted the new General Data Protection Regulation (GDPR). The GDPR imposes new rules on organizations that offer goods and services to people in the European Union (EU) and the regulation is effective on May 25, 2018.
Basically, GDPR establishes two fundamental rights and responsibilities:
- Individuals have rights over the protection of their personal data.
- Organizations have mandatory responsibilities when collecting or analyzing data tied to EU residents.
What does the GDPR mean for my organization?
Our customers own, control and can efficiently manage their own data. Since you (as a client of Trail Blazer) are the data controller, you have the responsibility to be compliant with GDPR. That means if you collect or process any personal data from EU citizens, the GDPR guidelines will apply to your organization.
Getting my organization ready
The GDPR applies to all organizations operating in the European Union (EU) and processing “personal data” of EU residents. Personal data is defined as “any information relating to an identified or identifiable natural person.” This definition is notably much broader than “sensitive information” or “personally identifiable information,” which are the more narrow definitions of the data to which a regulation might apply.
Examples of personal data:
Under the GDPR, EU citizens have several new rights, including:
- Right to be forgotten. Individuals can request an organization to delete all their data.
- Right to object. Individuals can prohibit certain data usage.
- Right to rectification. Individuals can request inaccurate or incomplete data be updated immediately.
- Right of access. Individuals must be able to find out what personal data of theirs is being processed and how.
- Right to portability. Individuals can request to receive the personal data concerning themselves, which they have provided to an organization and the transfer of personal data from one organization to another.
- Consent is at the heart of the new regulation and must be obtained, but not for everything. GDPR does require stricter rules around consent.
Consent is only required for data processing outside the normal transaction exchange. You do not need consent to perform data processing related to your primary reason for interacting with the individual.
For example, If someone donates to your organization and you're only using that data to record the donation, you won't need to get consent.
But if you intend to collect additional personal data or plan to process that data in other ways, for instance for marketing, you'll need to get explicit consent for that usage.
- Infringements of the following could be subject to administrative fines up to 20 million Euros or 4% of the total annual revenue of the preceding financial year — whichever is higher.
For more information on the General Data Protection Regulation (GDPR) click here.
The information offered on this page and other Trail Blazer GDPR and data privacy-related pages is not legal advice for you or your company to use to comply with the GDPR or other (European) data privacy laws. Trail Blazer cannot offer legal counsel.