GDPR Policy Updates: Regulatory Compliance
The EU General Data Protection Regulation (GDPR) was designed to coordinate data privacy laws across Europe. This new regulation will go into effect in May, 2018 and will not only apply to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Organizations found to be non-compliant are subject to substantial fines.
NAMM and our partners are working to provide NAMM members with relevant information. Please check here often for updates and new resources.
Information, Webinars and Videos:
The Privacy Shield Program: administered by the International Trade Administration (ITA) within the U.S. Department of Commerce
Video: GDPR Explained
European Union GDPR Site
Music Industries Association (MIA) GDPR Information Site
The Security Provisions of GDPR
EU Data Protection Glossary
Are you ready for GDPR compliance? – Microsoft's GDPR Information Site
Questions and Answers:
Background and Resources:
- What You Need to Know About GDPR
March 28, 2018
Article by Peter Malick, CEO of Inbound AV, an online marketing firm focused on the music industry. Originally published by NAMM U, here.
As CEO of an online marketing firm that focuses on the music industry, this issue hits home to all of my clients, and NAMM membership in general. In short, the GDPR takes full effect on May 25, 2018, and if email marketing or e-commerce is part of your business or business plan, you need to be well-informed about this comprehensive set of regulations. We live in an interconnected world, and although your business may be locally focused, this law could affect you!
Here’s a recap of what I learned at the seminar. Note: This article is not intended as legal advice. For more information on the GDPR, visit eugdpr.org.
What You Want to Know
There are some very specific actions that you’ll want to take to safeguard your music business. You have an email list that you market to. If anyone on that list resides in the EU, you must have explicit permission to send them email marketing. Further, if your website tracks users through cookies or other tracking methods, again, you need to have permission from users in the EU to gather that data from them.
The penalties are potentially severe, and without going into excessive detail, if you’re a small or medium-sized business, you could be fined “up to 10 million euros or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.” The fines for larger businesses can be double that figure.
To protect yourself and your business, here are steps to get started, based on what I discovered at the session. (Again, this is not intended as legal advice. Visit eugdpr.org for more information.)
• Keep records that prove your email subscribers have opted in to your policy. If there’s ever a complaint, it will be your obligation to prove you have done your due diligence.
• Create a cookie consent notice on your website.
• Make sure your existing email list is updated and that subscribers have opted in. This is a challenging one, and there may be ways to segment your list to figure out who’s based in the United States depending on your email provider. You may wish to create a special offer in conjunction with a request for subscribers to re-opt in. There’s definitely the danger that you could lose a big portion of your list if this isn’t done optimally.
“Any Website That Targets EU Consumers”
This was a shocker for me. The law as written requires these compliance measures for “any website that targets EU consumers.” I made the assumption that this detail would exempt the great majority of U.S.-based music business from much of the regulation. I was wrong.
If you sell anything to a customer in the EU, you are considered to be “targeting EU consumers.” So, that $29 software download that you sold to a student in Orlando or even the set of strings you sold from your store could turn out to be “targeting the EU” when that student or customer returns home to France, and you send her a marketing email.
Help Is Available
The U.S. Digital Service has not forgotten you. There’s a framework that you can follow and a mechanism to comply with the regulations. The service is called Privacy Shield, and if you choose to self-certify, you will pay a reasonable fee and be guided through the process. When you are approved, the policy you have put in place should, in fact, be a shield from compliance issues.
I personally believe that any business whose sales are in the millions should seriously consider the Privacy Shield framework. Like any new law or regulation, there could be unintended consequences for non-compliance. So, I would highly recommend staying current with news as the policy takes effect.
- In Plain English: Everything You Need to Know About the GDPR
In Plain English: Everything You Need to Know About the GDPR
We’ve seen how technology is disrupting industries both old and new: Uber and Lyft are disrupting transport, Netflix is disrupting how movies and TV shows are produced and consumed, and AI is threatening to disrupt every single industry in ways we never before thought possible. But technology also disrupts the laws and regulations implemented by countries, with the GDPR designed to replace a modern directive that itself was no longer sufficient: Directive 95/46/EC (a data protection directive).
The General Data Protection Regulation is, obviously, centered around data protection, but it doesn’t regulate all data protection. Instead, it is focused on the personal data of individuals, specifically individuals residing in any EU member state. It updates existing – and introduces new – regulations relating to the collection and processing of the personal data of any individual residing in any EU member state. And it doesn’t only apply to businesses and organizations with a physical presence in any EU member state. Businesses and organizations throughout the world will need to be compliant with the GDPR if they collect and process the personal data of any individuals residing in the EU.
The purpose of the regulations is not to make it more difficult for businesses to sell, market, or perform any of their normal business functions. Instead, it is designed to give individuals greater control over who collects and processes their personal data, what it is used for, and how it is kept safe.
It does this by first differentiating between personal data and sensitive personal data, with personal data being any information which makes it possible to identify an individual – either directly, or indirectly. It includes data such as names, identification numbers, location data, and online identifiers. Sensitive personal data also makes it possible to identify an individual but through an expanded scope of specific factors, including elements of their physical appearance, physiology, genetics, mental health, economic, cultural, or social identity. The collection and processing of sensitive personal data is not allowed, except under very specific circumstances, with additional requirements in terms of data safety.
Next, the GDPR refines the principle of consent, requiring:
- The explicit consent of individuals.
- The elimination of blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions.
- The ability for individuals to easily withdraw consent.
There are provisions within the GDPR for times when consent is not necessary, but these all relate to very specific lawful bases for collecting and processing personal data.
The GDPR then clarifies the rights of individuals in terms of their personal data, broken down as follows:
- The right to be informed, typically covered by your privacy notice. Detailed information regarding who is collecting and processing the personal data, along with how it will be used, must be freely available and written in clear, plain language.
- The right of access. Individuals can request confirmation from you that their data is being processed. They can also request a copy of all their information that you hold, along with any supplementary information. It should be provided free of charge, and within one month of the request being made.
- The right to rectification. Individuals can request you to correct any incomplete or inaccurate information that you hold, with you then being responsible for passing the corrected information onto any third-parties you previously shared the data with.
- The right to erase. This is not an absolute right to be forgotten, but rather a provision for individuals to request the deletion of their data by you when there is no longer a legitimate reason for you to continue processing it, or they withdraw their consent.
- The right to restrict processing. Under certain circumstances, individuals can request that the further processing of their data be restricted. This is different to the right to erase in that you are still permitted to store some personal data, just not process it further.
- The right to data portability allows individuals to obtain their data from you, and reuse it for their own purposes across other services. However, this only applies in circumstances where the individual provided a controller with their personal data, typically during the performance of a contract application.
- The right to object. Unless you have compelling legitimate reasons to process an individual’s data, they retain the right to object to processing for a number of reasons.
- Rights in relation to automated decision making and profiling. The GDPR requires that safeguards be put in place for any automated processing and decision making, to minimise the risk of any damaging or adverse decisions being made without the possibility of human intervention, or the ability to seek an explanation.
The GDPR goes into great detail in relation to accountability and governance within businesses and organizations. This addresses matters such as:
- The implementation of measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintaining relevant documentation of all processing activities.
- Identifying whether your organization is a data processor, a data controller, or both. You need to understand the purpose and requirements of these distinct roles in terms of the GDPR, and where appropriate, you may need to appoint a data protection officer.
- The implementation of measures that satisfy the principles of data protection by design, and data protection by default. This could include:
- data minimisation
- pseudonymisation or anonymisation of data
- the ability for individuals to monitor the processing of their data
- ongoing improvement of security features
Finally, the GDPR introduces new requirements for how personal data is processed to ensure security, along with requirements for how businesses and organizations need to respond to data breaches.
It is important to remember that the GDPR does not affect all businesses and organizations, only those who collect and/or process personal data, either of their clients or on behalf of another organization. If you don’t collect or process any personal data of individuals, you have nothing to worry about. And if you do, the primary matter you should be concerned about is ensuring that you are fully compliant with the requirements of the GDPR. The GDPR should in no way prevent your business from continuing to operate, though it may force you to change some of your processes, making it more difficult to perform some tasks, but never making it impossible to operate.
The heavy fines possible under the GDPR are not meant to harm businesses, but rather to serve as a deterrent against relevant businesses and organizations from ignoring the regulations, and putting the personal data of individuals at risk.
But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organizations, and individuals, and whether or not this will change over time.
The GDPR specifically applies to individuals, so in the context of B2B relationships – existing and new, the impact of GDPR will depend on the contact information you use to communicate with your B2B clients. Whenever your contact information includes personal data, you would need to follow the regulations relating to explicit – and recorded – consent to opt-in. This would extend to also include regulations regarding data protection.
If, however, your records only include generic contact information (a contact number or email address with no name attached) you don’t necessarily have to record explicit consent, but you must make it easy for the company or organization to opt-out, and keep a record of this.
The GDPR is not a death knell for marketing, it is simply a way of regulating certain aspects of marketing. It doesn't kill off direct marketing, it merely hands control of direct marketing to individuals. This means that marketers now need to ensure that they have explicit consent from individuals to market to them directly (be it via phone calls, email campaigns, or even direct mailing). It means marketers now need to inform individuals:
- Who will be marketing to them (company or organization name). If any third-party controllers will also be using the individual’s personal data, they too must be named.
- How their personal information will be used, and what it will be used for.
- That they can opt-out at any time, while also explaining the process for opting out.
Marketers also need to understand that blanket consent is no longer allowed. Under the GDPR, individuals give consent for a specific campaign or purpose, and should that campaign or purpose change, they need to give consent again. If your customer gives consent to receive marketing communications relating to your range of lawn furniture, you cannot suddenly switch to marketing your new range of bathroom products to them.
What does the GDPR mean for companies?
Companies and organizations collecting and processing the personal data of individuals residing in the EU, regardless of the company’s physical location, need to be aware of the following:
- The GDPR clearly defines different roles to controllers and processors. Data processors carry out the actual processing of personal data, while data controllers specify why and how personal data is processed. Data controllers are also responsible for ensuring that data processors adhere to all the requirements of the GDPR.
- Some companies and organizations are required to also appoint a Data Protection Officer(DPO). The Article 29 Working Party has published separate guidelines on DPOs, along with some helpful FAQs.
- Companies and organizations are required to obtain – and record – an individual’s explicit consent for the personal data to be stored and used. They also need to explain to the individual how the personal data will be used.
- Data breaches that are likely to result in a risk to the rights and freedoms of individuals need to be reported to the relevant supervisory authority within 72-hours. When a data breach is likely to result in a high risk to the rights and freedoms of individuals, those affected need to be notified directly.
- Individuals have the right to request a copy of their personal data and supplementary information, as processed by any company or organization. This allows individuals to be aware of, and to verify the lawfulness of the processing.
- The GDPR provides individuals with a right to erasure, sometimes referred to as a right to be forgotten. The allows individuals to request the deletion or removal of their personal data where there is no valid or compelling reason for it to continue being processed. The right is not absolute, and companies and organizations can refuse to delete data under certain circumstances.
- Data portability gives individuals the right to obtain and reuse their personal data across different services. This allows individuals to move, copy, or transfer their own personal data from one environment to another, for a number of reasons.
- While privacy by design has always been an implicit requirement of data protection, under the GDPR, companies and organizations are now obliged to implement measures to integrate data protection with data processing activities.
How will the GDPR affect US companies?
The GDPR applies to all companies and organizations collecting and processing the personal data of individuals residing in the EU, regardless of the company’s physical location. As such, US companies – and companies in other countries around the world – are still expected to comply with the new regulations if any of the personal data they collect and process is that of residents of an EU member state. This remains true even if the company does not have any physical presence in any EU member state. While the GDPR is unlikely to affect a small florist in Rock Springs, Wyoming, any business – US based, or other – collecting and processing personal data of EU residents will need to put measures in place in order to comply with the GDPR. This includes, amongst others, ensuring:
- Explicit, recorded consent to collect and process the personal data of the individual.
- Clear explanation of how and what the data the data will be used for.
- Privacy by design, along with compliance relating to data breaches.
- Support for data portability and right to erasure.
- Compliance with the GDPR requirements for the use of personal data by third-parties.
Many businesses are used to using landing pages and newsletter subscription forms to build out their customer database. Under the GDPR, this will no longer be acceptable when it comes to the personal data of EU residents because blanket consent is no longer allowed. The GDPR only recognizes explicit consent being given for a specific purpose, which must be stated when the individual gives consent. If an EU resident signs up for your weekly email newsletter, they will be giving explicit consent to receive just that: a weekly email newsletter. You cannot later switch to sending them daily deals via email, because they did not consent to that. Whenever the purpose of collecting and processing personal data changes, new consent must be given.
Why is the GDPR good for business?
The GDPR brings with it opportunities for organizations to build greater trust with their customers, and this is always positive. For many organizations, it also brings with it an opportunity to clean up their marketing and sales databases, not only updating personal data, but also ensuring that it is now filled with individuals who are still active, and still interested in your products or services. It also brings with it the opportunity for organizations to look at how they collect and process data with fresh eyes, identifying new avenues for marketing and sales growth that never existed before, or were simply overlooked. But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organizations, and individuals, and whether or not this will change over time.
The first step is fairly obvious and involves ensuring that all relevant employees and contractors are aware of the GDPR, and what is required of them and the organization in order to be compliant.
Accountability starts with a full data audit, and depending on the size of your organization, and the amount of personal data you hold, a data audit will be one of the biggest tasks you need to accomplish ahead of GDPR enforcement. It is also one of the most important tasks.
Your data audit should see you compiling a full inventory of all personal data you hold, and answering the following questions in relation to each record:
- How did you collect the personal data? Was it given to you by the individual, and if so, how? Or was it collected by other means?
- Why did you originally collect the personal data? What was the original purpose? Was it through a newsletter signup, a request for more information on a specific product/service, through the individual creating an online account (either to shop online, or for some other purpose)?
- Why are you still processing the data, and for how much longer will you continue processing it? If you no longer have a legitimate reason for processing, you shouldn’t be holding onto the data.
- Is the data secure? This applies to both encryption, and to it only being accessible to people who understand the GDPR requirements for data processing.
- Has the data ever been shared with any third-parties. If so, do you have evidence on record that they are compliant with the GDPR, and does the individual know that their data has been shared, with who, and for what purposes?
The GDPR doesn’t only require organizations to be able to demonstrate the ways in which they comply with data processing requirements, in many instances it requires documentation to support this. Again, the ICO website has a brief checklist helping organizations identify shortcomings in the way they ask for, record, and manage consent.
Communicating with Customers, Staff, and Service Users
Compliance with the GDPR will also depend on your organization updating all privacy notices, or adding privacy notices if they aren’t already in place. When considering or updating privacy notices, it is important to do a proper assessment of how you collect data, acknowledging that – in addition to traditional forms of data collection – this could now also be any one, or a combination, of the following:
- observed, by tracking people online or by smart devices;
- derived from combining other data sets; or
- inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.
Privacy notices need to be concise, written in plain language, and easily accessible. The GDPR also expects organizations to include specific information in privacy notices, with slight variations depending on whether data is collected directly from individuals or not. The image below summarises this.
Privacy notices need to be concise, written in plain language, and easily accessible. The GDPR also expects organizations to include specific information in privacy notices, with slight variations depending on whether data is collected directly from individuals or not.
- GDPR – Advice for Our Industry
GDPR – Advice for Our Industry: An update from Paul McManus, Executive Director, M.I.A.
Source: MIA.org.uk August 16, 2017
I have spent time this week with GDPR legal experts in order to bring you all (hopefully) some sensible advice as to how you all prepare for the new legislation that comes into effect on May 25th 2018.
I know that you all have far more important things to do (like running a business!), but there is stuff here that you need to be doing before May….
The new rules are not a huge change from existing legislation but there are heightened expectations for a business in respect of their ACCOUNTABILITY in relation to processing and managing personal data (with substantially increased fines being announced).
Businesses involved with personal data will be expected to be able to DEMONSTRATE policies and assessments that protect data and use it appropriately.
Things to consider:
- Personal data is the means by which an individual can be “identified”. This is not just a name, but can also relate to phone numbers and addresses.
- All businesses are recommended to conduct a Data Protection Impact Assessment (and document this). This should consider a map of the data you hold, where it is stored, how you process it and who it is shared with and the risks of data breach. Plus, why you hold it and when you delete it.
- All businesses are recommended to appoint a Data Protection Officer (DPO).
- In relation to a Data Breach, do you have a policy? Have you identified the risk to the individuals that would be affected? Speedy notification of a breach to both individuals and the ICO Information Commissioners Office are now major considerations/requirements.
- Subject Access Requests – the rights of individuals to see their data that you hold. People and staff will have more “rights” going forward.
- The Right to Erasure a.k.a. the Right to be Forgotten. Not an absolute “right”, but more on this will emerge.
- ICO registration, many more companies will need to register (thankfully the fees will be removed going forward) and this will depend on the data you hold and the risk it could pose. Once you have done your Assessment, contact ICO office to discuss.
- Third Parties who use and work with your data….what sort of Data Protection Contract do you have with them?
- Is you server/cloud data actually in the EU or outside (if outside, you are technically exporting data)…worth checking!
- Websites and all communications platforms will all need looking at with respect to privacy statements, company details, complaint procedures etc.
- As a general rule, communications will require explicit opt-in permission from the individual and an opt-out option. (even old consents will need to be revisited).
There is naturally a huge amount more detail, but 11 points for now to get you thinking…
For more information, contact the MIA.
- GDPR Rules for Small Business
Better Rules for Small Business
Stronger rules on data protection from 25 May 2018 mean citizens have more control over their data and business benefits from a level playing field. One set of rules for all companies operating in the EU, wherever they are based. Find out what this means for your SME. View Info-graphic Here
- Q&A: European Commission guidance on GDPR
- What does the GDPR Govern?
- What are Data Protection Authorities?
- What is Personal Data?
- What Constitutes Data Processing?
- What are the Rules for Organizations?
- What are the Rights of Citizens?
- VPNMentor.com Report: 34% of EU Websites are currently ready for GDPR