GDPR: What’s the fuss about?

This article originally appeared in SMSwarriors.com

It’s all about the data. Your personal information is now the most valuable commodity in the world, and an increasingly crucial aspect of any business. In fact it’s said that one who has the most data will eventually control everything. So it stands to reason that governments around the world should look for the right way to regulate this new precious commodity.

The European Union has been quite active on this issue. On the 25th of May 2018 the GDPR (General Data Protection Regulation) will come into force, replacing several outdated national laws. In Malta, GDPR will replace the present Data Protection Act (Directive 95/46/EC) and the domestic laws implementing it.

We’re hearing a lot about GDPR, and everyone is nervous about the impact it might have – but it’s really not as scary as it sounds. It’s just a new regulation which will replace the Data Regulation Act, an enhanced effort to protect us and our customers’ privacy & fundamental rights.

In fact, the GDPR is a very good opportunity to adopt standardised business procedures and to interact with your business’ data more effectively. It’s not just about confidentiality, it’s more about integrity, accountability, and accuracy – and above all, it’s just a good business practice.

Will GDPR affect my business?

The short answer is yes. If you are part of an organisation which collects and processes the personally identifiable data of any individual residing in the EU member state, GDPR will come into the picture for you.

Interestingly, it will be applicable to you even if your business doesn’t have a physical presence in the EU, but deals with personal data of EU citizens. Personal data is any information which makes it possible to identify an individual. This includes names, identification numbers, location data, and online identifiers. That’s why organisations around the world are working towards being compliant with the GDPR.

The GDPR language:

To understand GDPR, you need to get used to the GDPR terminology. It essentially references three main parties: a data subject, a data controller, and a data processor. You need to determine whether your organisation is a controller or a processor.

A data subject is an individual whose personal data is processed by a controller or a processor.

A data controller is a company which collects data and decides what to do with it.

A data processor is a supplier that handles/ provides a platform to handle the data on behalf of the data controller. For instance, a financial institution would be a data controller and SMS or email marketing agency that they use would be a data processor.

A quick GDPR summary:

Here is a quick summary of other important GDPR rules:

Stringent consent requirements: Under GDPR, organisations will need to collect unambiguous, freely given, specific and informed consent to be used and stored. This means pre-ticked boxes, inactivity or consent-by-default will not be a valid way to get it. Also, consent should be as easy to withdraw as to give.

Enhanced individual rights: Individuals will have enhanced rights to access, update or delete their data at any time. This means organisations will have to make this information freely available. Also, in a few cases individuals will have the right to a copy of his/her data in a structured format which they can transfer to others.

Data breach reporting: In the event of a data breach, organisations must notify the concerned authorities (i.e. Information and Data Protection Commissioner) within 72 hours. If the data breach is likely to cause a higher risk to the freedom and rights of individuals, then they will have to be notified as well.

Significant penalties: If organisations fail to comply with GDPR, they will have to undergo significant sanctions of up to €20million or 4% of turnover, whichever is greater.

GDPR and SMS: What you need to know

We have been asked by many organisations with increasing frequency if they can still send SMS/ text messages to their existing customers in the light of the GDPR. Although things are changing, unless you are a public enterprise, GDPR will not affect your existing customer communications.

That means you can continue to send SMS and you need not re-request your existing customers’ permission to do so. However, it is necessary that you document it within your privacy policy and terms & conditions… more on that in our next article. You will also need to take a different approach when dealing with prospective and inactive customers. Stay tuned, our next article will exclusively guide you on making your lists complaint, as well as gaining consent from prospective customers.

There’s a lot of information to be had on both IDPC and DMA if you looking for more resources on GDPR.

SMSwarriors is committed to supporting our valued customers as they prepare for the EU General Data Protection Regulation. We’re closely following its developing guidelines and are adapting our plans accordingly. We commit to ensure that its obligations are fulfilled by May 25th, 2018.

Consent is not the only road towards your GDPR compliance journey. Check out my next article about consent alternative.

Disclaimer: While we have checked our sources, it is important for you to seek legal advice related to GDPR compliance. This article does not constitute legal advice.