GDPR Policy Updates: Regulatory Compliance
The EU General Data Protection Regulation (GDPR) was designed to coordinate data privacy laws across Europe. This new regulation will go into effect in May, 2018 and will not only apply to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Organizations found to be non-compliant are subject to substantial fines.
NAMM and our partners are working to provide NAMM members with relevant information. Please check here often for updates and new resources.
Information, Webinars and Videos:
Video: GDPR Explained
European Union GDPR Site
Music Industries Association (MIA) GDPR Information Site
The Security Provisions of GDPR
EU Data Protection Glossary
Are you ready for GDPR compliance? – Microsoft's GDPR Information Site
Questions and Answers:
Background and Resources:
- GDPR – Advice for Our Industry
GDPR – Advice for Our Industry: An update from Paul McManus, Executive Director, M.I.A.
Source: MIA.org.uk August 16, 2017
I have spent time this week with GDPR legal experts in order to bring you all (hopefully) some sensible advice as to how you all prepare for the new legislation that comes into effect on May 25th 2018.
I know that you all have far more important things to do (like running a business!), but there is stuff here that you need to be doing before May….
The new rules are not a huge change from existing legislation but there are heightened expectations for a business in respect of their ACCOUNTABILITY in relation to processing and managing personal data (with substantially increased fines being announced).
Businesses involved with personal data will be expected to be able to DEMONSTRATE policies and assessments that protect data and use it appropriately.
Things to consider:
- Personal data is the means by which an individual can be “identified”. This is not just a name, but can also relate to phone numbers and addresses.
- All businesses are recommended to conduct a Data Protection Impact Assessment (and document this). This should consider a map of the data you hold, where it is stored, how you process it and who it is shared with and the risks of data breach. Plus, why you hold it and when you delete it.
- All businesses are recommended to appoint a Data Protection Officer (DPO).
- In relation to a Data Breach, do you have a policy? Have you identified the risk to the individuals that would be affected? Speedy notification of a breach to both individuals and the ICO Information Commissioners Office are now major considerations/requirements.
- Subject Access Requests – the rights of individuals to see their data that you hold. People and staff will have more “rights” going forward.
- The Right to Erasure a.k.a. the Right to be Forgotten. Not an absolute “right”, but more on this will emerge.
- ICO registration, many more companies will need to register (thankfully the fees will be removed going forward) and this will depend on the data you hold and the risk it could pose. Once you have done your Assessment, contact ICO office to discuss.
- Third Parties who use and work with your data….what sort of Data Protection Contract do you have with them?
- Is you server/cloud data actually in the EU or outside (if outside, you are technically exporting data)…worth checking!
- Websites and all communications platforms will all need looking at with respect to privacy statements, company details, complaint procedures etc.
- As a general rule, communications will require explicit opt-in permission from the individual and an opt-out option. (even old consents will need to be revisited).
There is naturally a huge amount more detail, but 11 points for now to get you thinking…
For more information, contact the MIA.