GDPR – the new EU General Data Protection Regulation – how does it affect us?
At Paloma, we are working intensively to ensure that our business complies with EU's new general data protection regulation, which enters into force on 25 May 2018. We get a lot of questions from our customers about what the new regulation entails, what we’re doing, what you need to do, and who is responsible for what. We have sorted it all out below.
Note: It is important to keep in mind that there is not yet a common practice regarding GDPR, as the regulation is new and will not enter into force until May. Thus, we can only provide general information on what regulation entails.
What is GDPR?
Answer: GDPR refers to the General Data Protection Regulation, a new EU regulation that will enter into force on 25 May 2018. The new regulation (in Swedish called “Allmänna dataskyddsförordningen”) replaces PUL, the Swedish Personal Data Act.
To whom does the regulation apply?
Answer: All organisations, industries, and businesses that store, or in any way manage, personal information about their employees or customers. The regulation also applies to small business owners with a simpler website, blog, and/or that send newsletters to a group of people, regardless of the number of recipients. It is important to remember that GDPR not only applies online or digitally but to all forms of personal data collection.
What does the regulation mean, in broad terms?
- Enhanced protection for the individual with respect to his or her personal data.
- Significantly stricter requirements on personal data management.
- Requirements for new procedures and processes for the management of personal data registries.
- That those who use or collect personal data in any way must obtain proper consent from the individual subject.
- That the individual may withdraw his or her consent at any time.
- That information is included about why personal data are collected, if such collection is necessary, and what they will be used for.
- That every individual has the right to be forgotten; that is, to have his or her data deleted from a company's registry.
- That every individual has the right to have his or her data corrected and moved.
- That every individual has much greater insight into the management and storage of his or her personal data. This means that the individual has the right to receive information on what data each company has on him or her at all times.
- That it becomes illegal to collect personal data and sell them to third parties.
What is defined as personal data?
An identified or identifiable physical person (living). Names, images, e-mail addresses, telephone numbers, IP addresses, DNA, residential addresses, etc. All kinds of information, really, that directly or indirectly can be attributed and linked to a living, physical person.
Why is the new regulation being introduced?
Today, large amounts of data on all individuals are collected constantly. For example, when using digital tools and services, or moving through the digital world. The EU therefore wants to ensure a high level of protection for each citizen, adapted to the rapid technological development. The EU also wants to safeguard citizens’ integrity protection under the European Convention, which states that “everyone is entitled to respect for their privacy”.
How can each company, organisation, and industry prepare?
Each company and organisation must comply with the General Data Protection Regulation, which, in most cases, involves major transitions. The time has come to review current personal data management and create processes, procedures, and quality assurance systems in order to meet the requirements of the new regulation.
How is Paloma preparing?
We are reviewing the current personal data management, creating processes, procedures, and quality assurance systems in order to meet the requirements of the new regulation. We are also working hard with the development and changes required to enable our customers to properly apply the GDPR.
An example of the above is that we are building different IT solutions linked to Magnet and Postman in order to facilitate customer compliance with the GDPR. Our intention is to make our web-based tools GDPR-compliant.
What do you, as a customer, need to do?
Here are some tips:
- Make sure everyone in your organisation is familiar with the GDPR and what it means in general.
- Review what personal data your company handles and stores.
- Review what personal data your company currently collects.
- Make sure you have a summary of why you have the personal data stored and in what way. Be transparent!
- Promptly delete all unnecessary personal data as well as mailing lists that you do not use.
- Report any breach or risk of data ending up in the wrong hands to the Swedish Data Protection Authority within 72 hours, and establish a protocol for how to go about it.
- Make sure you have someone in charge for handling matters of the right to be forgotten.
- Make sure you can prove that you have obtained consent from your newsletter recipients. Otherwise, you have to send out a specific request to obtain it.
- Evaluate whether there is legitimate interest for sending out, for example, a newsletter to someone, or if you need to recreate your e-mail address list and obtain active consent.
- Find out what consent means. The recipient/customer always has the right to withdraw his or her consent.
- Specify what you are requesting consent for.
- Note: Did you forget to add an unsubscription link to your newsletter? Do it today!
Data Controller – what does it mean?
Those of you who collect personal data are called data controllers. You are responsible for the following:
- Understanding that personal data is a person's right. That is, you do not own it, neither as a company nor as an organisation. The private individual does.
- Respecting “Privacy by Default”. Do not collect data that you do not need.
- As data controller, you determine the purposes and application of the principles.
- Adhering to the principle that silence is not considered consent. Neither are pre-checked boxes and/or inactivity.
Data Processor – what does it mean?
We – Paloma AB and Magnet AB – are so-called data processors. This means that we are a party that processes personal data on behalf of the data controller. The data controller and data processor must establish a so-called data processing agreement. According to the General Data Protection Regulation, the agreement must include:
- processes in the event of a data breach.
- processes for reporting any data breach to the Swedish Data Protection Authority.
- information that we, as data processor, have the highest security on our servers.
- documentation of what personal data we store, how we store them, and why we store them.
What exactly is defined as collection of personal data...?
This is an important question to look into. Search the web and review your business. You can, for example, start by reviewing how names and e-mail addresses are stored on your server, on your website. And once you know what information you collect, you need to be able to answer why you do it!
How is consent formulated in the regulation?
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Pre-checked boxes and similar solutions are no longer permitted.
If a customer’s consent serves a variety of purposes? How does it work then?
In that case, consent should be given by the customer for all purposes.
If, for example, you send out a regular newsletter on the topic of running and have collected e-mail addresses in connection with this, and then want to write another newsletter on the topic of makeup, you need to obtain new consent. The people on your mailing list have not consented to subscribing to news about makeup.
Therefore, make sure to make clear what the customer consents to. Also make sure to clarify what the customer has consented to in the confirmation e-mail.
How will the regulation affect companies’ use of social media, such as Facebook, YouTube, Instagram, LinkedIn, etc.?
Companies are responsible for both their own and other users’ publication on social media. However, responsibility is affected by, for example, the ability to delete user publications or disable features, such as commentary, etc. A number of other measures in the area of social media will also be required. If you and your business are active in social media and have many followers, you can find more information about the issue online.