Speaking from experience, data is the lifeblood of a Digital Agency. It lets you establish an objective point of view, it is the fuel for many marketing efforts, perhaps quite obviously for e-mail marketing. Furthermore, data allows you to track your effectiveness and can form the basis for future strategies.

Knowing how crucial data is to us and so many other businesses, a quick glance at the GDPR could send you into a panic. It is not a small set of changes but a complete reset on the philosophy of how data is managed, and the value placed on it.

The GDPR is actually a step forward for all of us, it is a good thing. More accountability, more protection, and more control. You might not have guessed that after reading some of the coverage it’s been getting.

That’s why we read through the finer points of the GDPR, because we want to take it and embrace this new way of processing data. The GDPR needn’t be a scary thing but it does require you to have a good working knowledge of it.

With that in mind, we went looking for some of the lesser asked questions. We went straight to the people who know it inside out – lawyers. The people we talked to have been implementing GDPR compliance across the EU. We asked them what the best practices are to ensure you don’t fall foul of the new law.

In Case You Haven’t Read The GDPR:

The General Data Protection Regulation replaces the Data Protection Directive 95/46/ EC (and the 1998 Data Protection Act for us in the UK!) on May 25th. It was designed to harmonise data privacy laws across Europe, protecting and empowering all EU citizens. It should reshape the way organisations across the region approach data privacy.

The rules will apply to all companies that collect the private information of EU citizens, whether the business is based in the European Union or not, and the fines for non-compliance will be extreme. For example, fines for an unreported breach can be up to €20,000,000 or 4% of a company’s global turnover, whichever is higher(!), so getting caught out is going to prove very costly.

In addition, the cross-border transfer of EU citizens’ data outside the region will become much harder. The EU Commission will assess third-party countries’ level of protection by carrying out ‘adequacy’ assessments binding to all Member States. They will then carry out reviews every four years to ensure continued compliance.

Any businesses that collect sensitive personal information will need to carry out and regularly update GAP analyses, data protection impact assessments, privacy audits and data breach roadmaps in order to stay on the right side of GDPR.

The main challenge for corporations will be assessing their current information collection and storage systems against the new regulations and ensuring compliance before the May 2018 deadline. Accountability is critical, and concepts such as pseudonymisation will become commonplace under the new regulations.

Who Keeps Track of All Your Data?

It’s a very good question and for the avoidance of doubt, that answer is you. Coming to terms with the fact you are actively responsible for the safe-keeping and responsible use of other people’s data is crucial. Keeping track of where your data is and if it is adhering to the new rules can be full-time job. Indeed, outlined in the GDPR is the ‘suggestion’ of a Data Protection Officer (DPO).

You don’t necessarily have to hire a new person, as corporate lawyer Ruggero Sammartano explains:

“For some, the GAP analysis process is not straightforward but is definitely the first step towards compliance. One size doesn’t fit all, everyone has different data management needs, which means different attitudes and different measures need to be considered in each case.

In some environments, an external consultant acting as a data protection officer (DPO) can reduce uncertainties and train internal staff to take over the role in the future.”

What If I’m Outside of the EU?

It depends. If you process any personal data of an individual who is an EU citizen, then you are indeed bound to these rules when handling their data. Whilst on the surface, having these rules applied on a citizenship basis is a challenge to non-EU companies, there is an opportunity in it, as explained by Kerry Beynon partner at Acuity Legal:

“There is an opportunity if you are an American company for example, and you can show you are compliant, you can enhance your reputation significantly. It’s a double-edged sword.”

Though alarmingly, the acknowledgment of the GDPR outside the EU is low. Don’t get caught out! Specific mention goes to the US because when we asked William Shawn, a lawyer from the US, he had this to say:

“Awareness of GDPR in the US is non-existent, except for the most substantial and sophisticated companies.”

What on Earth is Pseudonymisation?

At the heart of the GDPR is an effort to protect individuals from abuse of their sensitive data, which is where a process called Pseudonymisation comes in. Pseudonymisation only applies to data that is related to an identified or identifiable natural person, it consists of separating information that could directly identify the person from the data that is processed.

Which means, the data being processed could not be used to identify the person without the information that has been securely stored elsewhere. This practice is not compulsory, but we really recommend it, should the worst happen, and you suffer a data breach, having measures like this in place will save you in the future.

By doing this, you also allow yourself some leeway in how you use your data, as Steven de Schrijver explains:

“More lenient data protection rules and relaxed standards will apply to data controllers that use this privacy-enhancing technique. For example, the GDPR permits the processing of pseudonymised data, for uses beyond the purpose for which the data was originally collected.”

So, the more protection you put in place, the more you can make use of the data.

We hope this answered some questions you might not have considered. Getting into the details of the GDPR is a daunting prospect but these finer points of the regulation will give you the information you need to navigate your way through this new era.

Additionally, ICO has put together a checklist to help you achieve compliance. They’re trying to make it as straight-forward as possible, you can get that list here.

Best of luck!