It’s data
and it’s
personal!

The General Data Protection Regulation (GDPR) from the European Commission sets new standards for how organisations need to handle personal data.

 

The GDPR affects organisations globally and the impact is huge. Therefore, whether or not you're a European company, you can't ignore the regulation. Here you'll find everything you need to know about the GDPR. What is it? Who is it affecting and how? What do you need to do?

 

COMPLIANCE IS REQUIRED AND THE CLOCK IS TICKING

435

:

08

:

54

DAYS HOURS MINUTES

 This is the time left until the EU deadline for compliance

SO WHAT IS THE GDPR?

The General Data Protection Regulation (GDPR) is a binding regulation created by the European Commission. The regulation, which came into effect on the 25th of May 2018, has replaced former European Union data protection directives and diverse national laws.

Affected businesses have to meet several requirements in relation to how they collect and use the personal data of EU citizens - whether or not the company itself is European.

The GDPR was introduced in order to strengthen the citizens' right to data protection and - in the longer run - to simplify the processes around this data for the organisations.

Get to know GDPR in a solution brief: What is it, who does it affect and how?

Location data
Name
Employee ID
ID number
Email
Address
Phone number
Health data
Passport number
Job title
IP address
Genetic data
Social data

FIRST OF ALL: WHAT IS
PERSONAL DATA?

Let's ask the EU themselves. They define it as follows:

 

'Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.'

HERE'S HOW PERSONAL DATA
IS TYPICALLY USED

LOCATION SERVICES

 

INTEGRATE MULTIPLE ACCOUNTS

 

NOTIFICATIONS

 

PERSONALISED CONTENT

 

TARGET ADVERTISING

 

THIRD-PARTY INFO 

 

HOW DOES THE
GDPR AFFECT
YOUR BUSINESS?

Complying with the GDPR involves comprehensive changes to your policies, processes and maybe even systems.

Free solution brief

Here are some
requirements

Complying with the GDPR involves comprehensive changes of your policies, processes and maybe even systems.

You may need a Data Protection Officer

 

You need to report personal data breaches

 

EU citizens (including consumers, employees and partners) have rights, such as:

  • Right to be forgotten
  • Right to access
  • Right to data portability
  • Right to rectification
  • Right to object
 

You need to communicate more transparently to consumers

 

You have to follow new, strict consent protocol

 

The affected data is subject to new collection and storage restrictions

 

You need to be able to identify all your personal data - customer, prospect and employee data - across systems and what exactly it is used for, and by whom

 

ARE YOU RESPONSIBLE FOR
PROCESSING EU CITIZENS' DATA?

If yes, you are considered a data controller no matter where in the world you are located and have the main data protection responsibility under the GDPR. You need to meet several requirements.

Free ebook

ARE YOU PROCESSING DATA
OF EUROPEAN CITIZENS ON
BEHALF OF OTHERS?

If yes, you are considered a data processor. Regardless where in the world you are,
you have to meet several requirements under the GDPR:

 

 

Systematically document all data processing and provide it to authorities upon request

 

Report any non-compliant activities and data breach risks to your data controller

 

Very likely appoint a Data Protection Officer

 
 
Free ebook

DO YOU NEED TO APPOINT A DATA PROTECTION OFFICER?

Are you a public authority?
You will most likely need to appoint a Data Protection Officer.
Are you processing special categories of data, such as data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membrship, genetic data, biometric data, health data, or data about sexual orientation?
Are you systematically processing personal data on a larger scale?
Do you have more than 5000 employees in your business
You will most likely not need to appoint a Data Protection Officer.
YES
NO
YES
NO
YES
NO
YES
NO

10 FREQUENTLY ASKED QUESTIONS ABOUT THE GDPR

By now you probably get the gist of it, but maybe there are some questions. Don't worry, we have listed 10 of the most common questions. Click to see the answers. 

1

We don't collect or store personal data on customers. Do we need to comply then?

It all depends on whether you store or use personal data on European citizens. That goes, whether those citizens are customers, prospects or employees. If you have European employees, you probably store their names, addresses and bank information. Data like that is considered personal data in the eyes of the European Commission and you need to implement parts of the regulation, for instance employees must give consent to the use of their data and have rights such as the right to rectification and you need to be able to document all of this to authorities.
 
2

We are only processing B2B data. Are we then affected?

It depends on the type of data you are processing. Can the data be used to identify individuals? If yes – and for most B2B companies the answer will be yes – you are processing personal data in the eyes of the European Commission and need to comply on the same terms as B2C companies.
 
3

We are located in the UK. Considering Brexit, are we affected?

The simple answer is: Yes you are. If you process personal data of European Union citizens you need to comply no matter where you’re located - EU member or not. In addition, UK is still officially part of EU until  spring 2019.
 
4

Do EU businesses with more than 250 employees need to hire a DPO?

No, not necessarily. Although an early draft of the GDPR specified that the exact number of 250 employees was the trigger for whether or not you need a DPO, the final regulation does unfortunately not have quite as clear guidelines for this. DPOs are mandatory for all public authorities, for organisations that conduct large-scale processing of special categories of personal data (such as health data), and where the core activities of a business involve "regular and systematic monitoring of data subjects on a large scale". Most large retailers fall under this definition. If you are unsure whether or not this applies to you, we suggest you seek legal advice.
 
5

Is it true that we can only store personal data for a limited period of time?

Yes. The GDPR sets out a so-called “Data Storage Limitation”, meaning that personal data cannot be stored longer than is necessary for the processing purposes. Personal data may be stored for longer periods as long as the data will be processed only for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.
 
6

Is it true that a customer or prospect can demand her data transferred to a competitor?

Yes. It’s now a consumer right called the “Right to Data Portability”. The GDPR explicitly says: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
 
7

How is it impacting our marketing activities?

The GDPR has for sure a big impact on the way you do your marketing not to mention who you can target, and that goes whether you’re in B2C or B2B. The new consent requirements ask of you to collect clear consent from each targeted individual that makes it clear that he is happy for you to use his data and market to him. Before, you could collect a contact and put him in your database and then use his data to further market to him on platforms and with purposes differing from where and for what the data was originally collected. With the GDPR, the consent has to be specific to that particular processing operation, meaning that you cannot request open-ended or blanket consent to cover future processing. If you want to market to someone in a new way, you will have to collect a new consent for this specific purpose. Furthermore, you need to properly manage all of these consents to be able to document it towards authorities upon request. 
 
8

Can we transfer personal data outside the EU?

Yes, but the receivers have to live up to certain data protection standards. The GDPR permits personal data to be transferred to non-EU organisations and countries which have been found by the European Commission to provide an “adequate” level of protection or under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).
 
9

It sounds like the GDPR has been made for consumer only. What's in it for the companies?

The GDPR is also created to make it simpler for organisations to manage personal data in a multinational environment and to minimise the risk of businesses being involved in seriously damaging data breaches. The GDPR has in most aspects replaced different national laws, with the aim of harmonising data protection rules throughout Europe. Additionally, With the introduction of a ‘Supervisory Authority’ in each member state, organisations have one place to go to with all their personal data-related issues.
 
10

What happens if we don’t meet the regulation?

Not complying can potentially result in huge fines. Sanctions for offences relating to control and mitigation are up to 10 million euros or 2% of the total worldwide annual turnover while offences relating to rights and obligations are as high as 20 million euros or 4% of turnover.
 

BOOST YOUR PERSONAL DATA EFFORTS!

Suit up for the GDPR

The GDPR requires a lot of work for organisations. If you want to make sure you have the processes in place to comply, check out our 5-step starter guide to see if you are on your way.

Free ebook

HOW DO YOU PREPARE?

Build the GDPR business case

 

Appoint your GDPR accountable

 

Create a data landscape map

 

Create a gap analysis and action plan

 

Execute and get external help where necessary

 
Free ebook

DOS AND DON'TS

1

View the personal data rights as natural - and free - services to your customers

The rights associated with the GDPR that individuals can now exercise mean that your business is obligated to provide consumers with certain information. You have to give them information about the duration and purpose of their data processing, but you also have to perform actions on their behalf if required, such as moving data to other organisations, completing or correcting details on customer profiles, and even deleting data. All this, free of charge for the individual. Instead of seeing them as inconvenient duties, view these as services you provide to your customers and prospects. Services which – so far – differentiate you from non-GDPR-compliant businesses. And like any other customer service you provide, do it with a smile.
 
2

Change your business mindset and the corporate culture about personal data

By now you (hopefully) have the systems and processes in place that are required by the GDPR. But for most companies there’s still a task that awaits: Changing how you and everyone in your organization view your personal data. In fact, the “your” in the last sentence is exactly what needs to change. The personal data that the GDPR was set out to protect is no longer yours. It belongs to individuals. You’re merely borrowing it to deliver a service or a product, and so you need to treat it with the respect it deserves. The change management perspective of this new thinking should not be underestimated. So, if you haven’t already started internal campaigns around this, start now.
 
3

Think data protection into all business aspects

The GDPR needs to be an integral part of how you do business now. With every new project, initiative, system you launch, you need to put on your ‘data protection glasses’ right from the start. Ask yourself:
  • How are we constantly training our employees to handle personal data?
  • How do we cope with on-boarding personal data into our enterprise systems?
  • How are we communicating internally the importance of protecting personal data?
  • How do we cope with personal data in contracts moving forward?
 
4

Keep upping your data protection efforts

Just because your business is GDPR compliant it does not mean that you can lean back and expect all your data issues to be solved and the affected data kept safe. Data breaches will continue to happen. New regulations will at some point occur as data usage evolves even further. Consumers will develop new expectations above and beyond the GDPR as soon as the protection level required by the GDPR becomes the norm. You might as well prepare for all these things and be proactive instead of reactive. Make sure you have a clear and relevant data breach communication and action plan ready. Keep educating yourself on the data protection market evolvement and make sure a willingness to invest is in place as this is an area that will only continue to gain more importance.
 
1

Don’t give up

Although the GDPR deadline is past due, not all companies that need to be compliant are compliant. Far from it! But that doesn’t mean they should give up. As we see fines starting to mount, don’t panic, just keep on going and change your processes, systems, communication, etc. one step at a time.
 
2

Don’t ignore requests from individuals

The one thing that will put you right in the spotlight of the European Commission is if you fail to deliver on the rights that individuals may exercise towards you. Consumers can formally complain about you if they feel you are failing to protect their personal data, and if found that you aren’t GDPR compliant, you risk a fine as big as up to 20 million euros or 4% of your annual turnover. Do not ignore a single personal data request from a consumer. Prioritize the resources it takes to deliver what is asked for, even if it costs you – because if you don’t, it might end up costing you a lot more.
 
3

Don’t be afraid to delete data

The consent aspect of the GDPR is probably where most businesses are hesitant, simply because it can potentially cost them a big chunk of their customer and/or prospect database. Legally, you now have to have action-based, purpose-specific consent to collect and process someone’s data, forcing companies to re-ask their entire database for their consent. Not getting it means that they have to erase the related data, scaring many companies away from doing so. But it shouldn’t. Instead, view it as a way to clean up your contacts and only keep the ones that actually wish to receive communication from you. Don’t be afraid to delete data from those not interested. If they’re not even interested in receiving relevant emails from you, chances are they’re not going to buy from you anytime soon.
 
4

Don’t let your personal data efforts negatively impact other processes

Just because you have changed your business ways in regard to collecting, processing and storing personal data, you shouldn’t change everything else. Don’t stop sharing data with third parties if that has proven a success for you earlier. Just make sure your partners are GDPR compliant as well. Don’t give up on trying to create personalised customer experiences because there are limitations to the data you can collect. In fact, try harder. Don’t let the GDPR be a barricade for innovation and creative thinking. Think GDPR into your creative processes and let it be an enabler, not a barrier.
 

HOW MDM
SUPPORTS THE
GDPR

The foundation for complying with GDPR is that the personal data you collect, store and process is updated, accessible and has clear data governance programs and business rules applied. Master Data Management can help you do this, optimising your personal data beyond the GDPR.

Free ebook

WHAT IS

MDM

Master Data Management

Master Data Management (MDM) is the discipline of managing your master data. By combining MDM software and adopting a MDM business mindset, you can achieve a central, accurate, up-to-date source for all your master data. MDM can be applied to all your data domains such as customer data, employee data and product data. But to achieve the highest value for your business you need to adopt a multidomain approach that combines all of your most critical domains.

Free ebook

OTHER BENEFITS FROM MDM

With Master Data Management you can handle all your data domains in one place. Information derives its own unique benefits from Multidomain Master Data Management. Below are some additional types of data you are able to stay in full control of with the help of MDM. Make sure everyone has access to the right data, in the right place, at the right time. All of this in one platform.

Reference Data

 

Product Data

 

Location Data

 

Customer Data

 

Employee Data

 

Asset Data

 

Supplier Data

 
 
 

THIS IS HOW YOU CONVINCE
YOUR ORGANISATION

We have an ebook on how to build a business case for adopting Master Data Management.
Grab your copy via the green button below and get tips like:

Avoid shortcuts

Do not rush through building your case; it takes time. Gartner estimates that it could take up to 15 weeks or longer. Having a sound business case increases the chances of the proposed project, and everyone involved, being successful.

 

Success depends on clarity and accuracy

Your story needs to be clear and objective, and therefore, understandable. It will not be believable if no one understands it.

 
Free ebook

WE HOPE YOU FOUND
THIS INFORMATION HELPFUL

We recommend that you visit our website to learn more about Master Data Management and Stibo Systems solutions.

 

Questions? Why not drop us a line.

 

X

 

 

X