It’s data
and it’s
personal!

The new General Data Protection Regulation from the European Commission sets new standards for how organisations will handle personal data in the future.

 

The GDPR will undeniably affect organisations globally and the impact will be huge. Therefore, whether or not you're a European company, the transition to meet the regulation needs to start now. Here you'll find everything you need to know about the GDPR. What is it? Who will it affect and how? What do you need to do?

 

COMPLIANCE IS REQUIRED AND THE CLOCK IS TICKING

435

:

08

:

54

DAYS HOURS MINUTES

 This is the time left until the EU deadline for compliance

SO WHAT IS THE GDPR?

The General Data Protection Regulation (GDPR) is a binding regulation created by the European Commission. The regulation is replacing current European Union data protection directives and diverse national laws.

By 25th of May 2018, the affected businesses will have to meet several new requirements in relation to how they collect and use the personal data of EU citizens - whether or not the company itself is European.

The GDPR is being introduced in order to strengthen the citizens' right to data protection and - in the longer run - to simplify the processes around this data for the organisations.

Get to know GDPR in a solution brief: What is it, who does it affect and how?

Location data
Name
Employee ID
ID number
Email
Address
Phone number
Health data
Passport number
Job title
IP address
Genetic data
Social data

FIRST OF ALL: WHAT IS
PERSONAL DATA?

Let's ask the EU themselves. They define it as follows:

 

'Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.'

HERE'S HOW PERSONAL DATA
IS TYPICALLY USED TODAY

LOCATION SERVICES

 

INTEGRATE MULTIPLE ACCOUNTS

 

NOTIFICATIONS

 

PERSONALISED CONTENT

 

TARGET ADVERTISING

 

THIRD-PARTY INFO CHALLENGES

 

HOW WILL THE
GDPR AFFECT
YOUR BUSINESS?

Complying with the GDPR will involve comprehensive changes
to your policies, processes and maybe even systems.

Free solution brief

Here are some
changes

Complying with the GDPR will involve comprehensive changes of your policies, processes and maybe even systems.

You may need to appoint a Data Protection Officer

 

You will need to report personal data breaches

 

EU citizens (including consumers, employees and partners) will have more rights than ever

  • Right to be forgotten
  • Right to access
  • Right to data portability
  • Right to rectification
  • Right to object
 

You will have to communicate with consumers in a new way

 

You will have to follow new, strict consent protocol

 

Your data will be subject to new collection and storage restrictions

 

You will need to be able to identify all your personal data - customer, prospect and employee data - across systems and what exactly it is used for, and by whom

 

ARE YOU RESPONSIBLE FOR
PROCESSING EU CITIZENS' DATA?

If yes, you are considered a data controller no matter where in the world you are located and will have the main data protection responsibility under the GDPR. You will be imposed to meet several new requirements.

Free ebook

ARE YOU PROCESSING DATA
OF EUROPEAN CITIZENS ON
BEHALF OF OTHERS?

If yes, you are considered a data processor. Regardless where in the world you are,
you will now have to meet several new requirements under the GDPR:

 

 

Systematically document all data processing and provide it to authorities upon request

 

Report any non-compliant activities and data breach risks to your data controller

 

Very likely appoint a Data Protection Officer

 
 
Free ebook

DO YOU NEED TO APPOINT A DATA PROTECTION OFFICER?

Are you a public authority?
You will most likely need to appoint a Data Protection Officer.
Are you processing special categories of data, such as data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membrship, genetic data, biometric data, health data, or data about sexual orientation?
Are you systematically processing personal data on a larger scale?
Do you have more than 5000 employees in your business
You will most likely not need to appoint a Data Protection Officer.
YES
NO
YES
NO
YES
NO
YES
NO

10 FREQUENTLY ASKED QUESTIONS ABOUT THE GDPR

By now you probably get the gist of it, but maybe there are some questions. Don't worry, we have listed 10 of the most common questions. Click to see the answers. 

1

We don't collect or store personal data on customers. Will we then not be affected?

It all depends on whether you store or use personal data on European citizens. That goes, whether those citizens are customers, prospects or employees. If you have European employees, you probably store their names, addresses and bank information. Data like that is considered personal data in the eyes of the European Commission and you will be required to implement parts of the new regulation, for instance employees must give consent to the use of their data and have rights such as the right to rectification and you will need to be able to document all of this to authorities.
 
2

We are only processing B2B data. Will we then not be affected?

It depends on the type of data you are processing. Can the data be used to identify individuals? If yes – and for most B2B companies the answer will be yes – you are processing personal data in the eyes of the European Commission and need to comply on the same terms as B2C companies.
 
3

We are located in the UK. Considering Brexit, will we not be affected then?

The simple answer is: Yes you will. If you process personal data of European Union citizens you need to comply no matter where you’re located. In addition, UK will not be leaving EU until after the GDPR comes into effect. The GDPR kicks in on 25 May 2018, while the UK is expected to leave the EU sometime during 2019. If you want more insight on this, we suggest you read this report from the UK government.
 
4

We’ve heard that businesses with more than 250 employees need to hire a DPO. Is that true?

No it’s not true. Although an early draft of the GDPR specified that the exact number of 250 employees was the trigger for whether or not you need a DPO, the final regulation does unfortunately not have quite as clear guidelines for this. In the final regulation, DPOs are mandatory for all public authorities, for organisations that conduct large-scale processing of special categories of personal data (such as health data), and where the core activities of a business involve “regular and systematic monitoring of data subjects on a large scale”. Most large retailers will for instance fall under this definition. If you are unsure whether or not this applies to you, we suggest you seek legal advice.
 
5

Is it true that we can only store personal data for a limited period of time?

Yes. The GDPR sets out a so-called “Data Storage Limitation”, meaning that personal data cannot be stored longer than is necessary for the processing purposes. Personal data may be stored for longer periods as long as the data will be processed only for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.
 
6

Is it true that a customer or prospect can demand her data transferred to a competitor?

Yes, it’s a new consumer right called the “Right to Data Portability”. The GDPR explicitly says: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
 
7

How will it impact our marketing activities?

GDPR will unavoidably influence the way you do your marketing not to mention who you can target, and that goes whether you’re in B2C or B2B. Especially the new consent requirements will have a big impact, since you will need to collect clear consent from each targeted individual that makes it clear that he is happy for you to use his data and market to him. Today, once you have collected a contact and put him in your database, you can use his data to further market to him on platforms and with purposes differing from where and for what the data was originally collected. With the GDPR, the consent now has to be specific to that particular processing operation, meaning that you cannot request open-ended or blanket consent to cover future processing. If you want to market to someone in a new way, you will have to collect a new consent for this specific purpose. Furthermore, you’ll need to properly manage all of these consents to be able to document it towards authorities upon request. 
 
8

Can we still transfer personal data outside the EU?

Yes, but the receivers will have to live up to certain data protection standards. The GDPR permits personal data to be transferred to non-EU organisations and countries which have been found by the European Commission to provide an “adequate” level of protection or under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).
 
9

It sounds like the GDPR has been made for consumer only. What's in it for the companies?

The GDPR is also created to make it simpler for organisations to manage personal data in a multinational environment and to minimise the risk of businesses being involved in seriously damaging data breaches. GDPR is in most aspects replacing differing national law, with the aim of harmonising data protection rules throughout Europe. With the introduction of a ‘Supervisory Authority’ in each member state, organisations will in addition have one place to go to with all their personal data-related issues.
 
10

What happens if we don’t meet the regulation in time?

Not complying will result in huge fines. Sanctions for offences relating to control and mitigation can be up to 10 Million Euros or 2% of the total worldwide annual turnover while offences relating to rights and obligations can be as high as 20 Million Euros or 4% of turnover.
 

GET READY!

Suit up for the GDPR

There is a lot of work to be done in order to meet the deadline in 2018.
You need to get going right now! We have created a 5 step guide to get you started.

Free ebook

HOW DO YOU PREPARE?

Build the GDPR business case

 

Appoint your GDPR accountable

 

Create a data landscape map

 

Create a gap analysis and action plan

 

Execute and get external help where necessary

 
Free ebook

DOS AND DON'TS

1

Spend a few minutes to familiarise yourself with GDPR

Use a bit of resources to at least investigate whether your business falls under new GDPR or not. If you can answer yes to some of the following questions you will most likely be affected by the new regulation:
  • Does your website have European version(s)?
  • Is your marketing targeting European citizens?
  • Do you employ European citizens?
  • Are you processing data on behalf of other companies?
 
2

Start now, if you haven’t already

Start now, if you haven’t already. The transition to meet the new requirements will as a minimum require you to change different policies and procedures and may even involve implementing new systems not to mention the cultural business change that needs to happen – all time-consuming exercises. And remember if you do not comply in time fines can be up to 20 Million Euros or 4% of annual turnover – you will be fined whatever amount is the highest.
 
3

Think data protection into all business aspects

Think data protection into all business aspects. Although a small part of the GDPR is aimed at making communication towards consumers more transparent, the majority is about internal processes. With every new project you launch, you need to put on your ‘data protection glasses’ right from the start. Ask yourself: How are we training our employees to handle personal data? Are our systems geared to handle a data breach? What if a customer requests his or hers data deleted – can we honestly locate and remove all associated data with our current settings – even all metadata? Or is this data scattered across different systems and departments?
 
4

Don’t underestimate the complexity of GDPR

Acknowledge that this transition is a complex process. You may very likely need to involve external legal support, change management professionals, and/or data governance and data management vendors and consultants.
 

HOW MDM
SUPPORTS YOUR
GDPR TRANSITION

The foundation for complying with GDPR is that the personal data you collect, store and process is updated, accessible and has clear data governance programs and business rules applied. Master Data Management can help you do this.

Free ebook

WHAT IS

MDM

Master Data Management

Master Data Management (MDM) is the discipline of managing your master data. By combining MDM software and adopting a MDM business mindset, you can achieve a central, accurate, up-to-date source for all your master data. MDM can be applied to all your data domains such as customer data, employee data and product data. But to achieve the highest value for your business you need to adopt a multidomain approach that combines all of your most critical domains.

Free ebook

OTHER BENEFITS FROM MDM

With Master Data Management you can handle all your data domains in one place. Information derives its own unique benefits from Multidomain Master Data Management. Below are some additional types of data you are able to stay in full control of with the help of MDM. Make sure everyone has access to the right data, in the right place, at the right time. All of this in one platform.

Reference Data

 

Product Data

 

Location Data

 

Customer Data

 

Employee Data

 

Asset Data

 

Supplier Data

 
 
 

THIS IS HOW YOU CONVINCE
YOUR ORGANISATION

We have an ebook on how to build a business case for adopting Master Data Management.
Grab your copy via the green button below and get tips like:

Avoid shortcuts

Do not rush through building your case; it takes time. Gartner estimates that it could take up to 15 weeks or longer. Having a sound business case increases the chances of the proposed project, and everyone involved, being successful.

 

Success depends on clarity and accuracy

Your story needs to be clear and objective, and therefore, understandable. It will not be believable if no one understands it.

 
Free ebook

WE HOPE YOU FOUND
THIS INFORMATION HELPFUL

We recommend that you visit our website to learn more about Master Data Management and Stibo Systems solutions.

 

Questions? Why not drop us a line.

 

X

 

 

X