The General Data Protection Regulation (GDPR) went into effect in the European Union (EU) on May 25, 2018. Following adoption of this legislation by the Council of the EU and the European Parliament in 2016, companies were given a two-year period to prepare for compliance with this far-reaching privacy and security regulation.
What is GDPR?
The GDPR is the EU’s plan for data protection in the 21st century, and replaces the EU Data Protection Directive enacted in 1995. GDPR gives people/individuals who reside in the EU (referred to as “data subjects” in the regulation) more control over the use of their personal data. It also increases the overall level of protection of all personal data for individuals who live in the EU’s member countries. According to the GDPR, personal data is broadly defined and can include name, address, photos, IP addresses, genetic and medical information, email addresses, and more.
Under the GDPR, individuals have several rights concerning the handling of their personal data. The first is that personal data can be collected and used (referred to in the GDPR regulation as “processing”) for only 6 lawful reasons. (See GDPR Article 6: Lawfulness of processing.) One scenario where an organization can collect and use an individual’s personal information is if they were given consent. Individuals must grant consent via an “opt-in” process that must be as easy to withdraw as it is to give.
Some additional rights for individuals include:
- The right to know when their data is breached
- The right to know when, how and where their data is “processed”
- The right to access a copy of their data free of charge
- The ability to have their data ported to another provider
- The right to have their data erased, also known as the “right to be forgotten,” if there are no grounds to retain it
The GDPR also requires that data subjects have the means to lodge complaints with local supervisory authorities and be eligible for compensation for damages. The penalties for non-compliance are harsh – up to 20 million Euros or 4% of total global revenue, whichever is higher, for each infringement.
The Role of Businesses in the GDPR
According to the GDPR, a business is a “controller,” “processor” or both. GDPR describes these terms as follows:
Controller – an organization responsible for determining the purposes and means for using (“processing”) personal data. Generally controllers have a direct relationship with the data subject, e.g., customers or employees.
Processor – vendors that “controllers” use to “process” (collect, record, organize, structure, store, adapt or alter, retrieve, consult, use, transmit, disseminate or otherwise make available, align or combine, restrict, erase, destroy) their customer and employee personal data.
The GDPR applies to companies inside and outside of the EU, even if they are not located in one of the 28 EU member states; compliance is expected of any controller or processor that handles the personal data of individuals in the EU.
Impact for US-based Companies
US-based businesses that offer/sell goods and services to individuals in the EU (referred to by the regulation as “targeting”), including goods or services provided at no charge, or companies that process data subjects’ personal data, are required to comply with the GDPR. For instance, a company that translates their website into European languages, accepts European currencies, ships to European locations, etc., is considered to be “targeting” EU data subjects. Additionally, a social media network like Facebook that collects the personal data of people in many countries and regions, including the EU, needs to comply with the regulation for individuals in the EU.
The GDPR can also apply to US-based companies that have employees, but not customers, located in the EU. The personal data a company collects about an employee in the normal course of business is covered under the GDPR. (The same rules apply to information gathered about job candidates based in the EU.) Additionally, organizations that monitor or track data subjects in the EU, e.g., analytics companies, must also comply with the GDPR.
While the GDPR is EU legislation, it has global implications. This new regulation applies to organizations that do business in any EU member country or process personal data for EU data subjects. The regulation does not specifically mention contact centers, but its provisions have far-reaching implications for all customer-facing business units.
DMG Consulting LLC is a leading independent research, advisory and consulting firm specializing in unified communications, contact centers, back-office and real-time analytics. Learn more at www.dmgconsult.com.