EU General Data Protection Regulation (GDPR)
What to look for when it comes to personal data in 2018
New year, new regulations! We all knew it was coming. 2018 will be all about data privacy and data security and the infamous General Data Protection Regulation (GDPR). The GDPR will apply to all companies and organizations processing and holding personal data or monitoring the behavior of individuals residing in the European Union – whether located within or outside of the EU. We want to give you some useful information and a quick overview of the key changes:
|What?||General Data Protection Regulation (GDPR)|
|By whom?||European Commission, European Parliament and European Council|
|Who’s affected?||all companies and organizations processing and holding personal data of subjects residing in the European Union – whether located within or outside of the EU|
|When?||May 25th 2018|
|How?||New elements and changes over the current Data Protection Acts and detailed considerations of all the companies that are processing personal data of european individuals (even if they have only one european customer).|
The GDPR was created by the European Commission, the European Parliament and the European Council with the aim to protect all EU citizens’ data. It will change the way how european and global companies deal with topics like data protection, privacy policies and online and mobile marketing.
An offense against the EU GDPR will lead to fines in the amount of up to 20.000.000 € or 4% of the total annual global turnover.
The definition of “personal data”
The GDPR characterises “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.” (1) Identifiable personal data would be:
- Contact data (E-Mail und Telephone)
- identification number
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
That means that all forms of online and offline tracking technologies will be subject to data protection regulations as of May 2018. Also offline marketers, app vendors and location based service providers are subject when realizing cross-device targeting, online to offline behavioral advertising or many more targeting strategies.
Changes for the online and mobile branch
But let’s get to the changes that will affect the online and mobile branch in 2018 the most:
- Extension of the definition of “personal data”: For online or mobile activities the following identifiers will be added:
- online identifier (cookie IDs, advertising IDs, IP addresses)
- location data
- New possible forms of getting the users’ consents
- Changes in the evaluation of pseudonymized data
- New concept that enables companies to use personal data without the users’ consent under certain conditions AND if “legitimate interests” of companies and/or “reasonable expectations” of users are given.
- Stronger rights on the part of the users, especially for the right of withdrawal (Opt-Out)
- Companies are bound to communicate data breaches shortly after their occurrence
- Technology providers and system operator are required to conduct standardized data privacy impact assessments
- A company has to nominate a data protection officer in other European countries when personal data is regularly and systematically collected
Information about you as a provider
Additionally the provider has to state the following information:
- Name, first name, complete address
- Contact information (phone, e-mail, fax)
- Industry register and trade number
- Company name and form of organization
- VAT No.
But as always you should keep in mind to take note of further data protection regulations for your individual industry!
Square Metrics & Data Protection
As we announced in a previous blog post, we were awarded with the ePrivacyseal EU by ePrivacy GmbH. The seal covers some special data protection laws and the most important EU Data Protection regulations. And it already covers the new EU General Data Protection Regulation (GDPR) als well.