Understand GDPR and its main implications for companies and marketing strategies

Understand GDPR and its main implications for companies and marketing strategies ( came into force on 25th May 2018 )??

I. General informations?

—> Explanation?:

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and is the legislative basis for the protection of personal data in Europe. Applying to all nationals of the Union, it is intended to be essentially protective and homogenizing.

Indeed, in addition to modernizing an obsolete and inadequate European law on personal data protection, the GDPR standardises data protection, makes companies closely or remotely linked to data processing accountable and consolidates the rights of individuals including the realization of consumer’s rights such as the right to information, notification, access and others.?

—> Recipients?:

All companies or entities collecting or working with the data of European citizens are concerned regardless of the degree of involvement in the management of this information ( such as cloud providers ).

Thus, the legal obligation arising from the GDPR applies to the member countries of the European Union and is likely to apply beyond the European borders as long as there is at least one piece of data from an European citizen in the work carried out by the company.

Furthermore, although some have seen potential post-Brexit enforcement flaws (as Brexit took place on 29 March 2019), for UK companies this has not complicated matters in relation to the provisions of the Regulation. If the UK wishes to use EU data, the GDPR will of course apply without exception and for correlated markets, a legal equivalence implementation will need to be carried out.?

—> Aspect of penalties for non-compliance :

Non-compliance with the provisions set out in the regulation leads to sanctions through economic fines (the fine is measured as a percentage of turnover but does not exceed 4% for the largest) assessed by a principle of infringement levels.?Examples include failure to notify, failure to carry out an impact assessment or non-compliant registration.?

II. Understand the essential compliance requirements of GDPR in the context of a company?

—> Are you subject to the GDPR??

In order to fully understand the application of the GDPR, it is first necessary to consider if the GDPR applies to your business.

As previously stated, the provisions set out in the GDPR only apply to case of collection or storage of data relating to a national or nationals of EU.

If the company is concerned by GDPR, it is appropriate to understand the so-called "basic" compliance requirements set forth by the GDPR.?

Compliance in data collection?

Compliance in the collection of data is a key point in GDPR provisions. Under Article 4, GDPR requires free, informed and unambiguous consent to data collection.

This translates, for example, into a single opt-in consent with the implementation of storage systems incorporating evidence of said consents. In addition, the company should be able to delete and/or modify data following potential consumer requests.

The emphasis is thus on the possibility for the consumer to consent or not to the collection of his or her data and the ability to unilaterally withdraw at any time despite prior consent.

This changes many things, particularly in marketing, as opt-in collection is fully regulated and soft opt-in is prohibited.

It is also strongly recommended that the double opt-in approach be followed by an obligation to verify the compliance of work providers with the requirements of GDPR.?

Compliance in data processing

After data collection, compliance also concerns data processing.

In this respect, any use of the personal data collected for others purposes than those stated at the time of collection is firmly prohibited and is criminally punishable as a violation of the law.

As long as the company processes data for a specific purpose indicated at the time of collection, its scope of action may not exceed that stated by it.

In addition, a regular verification of the data for a care of timeliness is required. This verification should be followed by a notification to the data subjects in the interests of confidentiality.

Data subjects will also always have the option of restricting the processing of their data if they have concerns about the information held or the way in which it is processed. In this case, the company will be obliged to respond to such a request in a positive way to the consumer's request.?

Census of all processing of personal data carried out

The GDPR requires a census of all data processing, regardless of the manner or purpose. Therefore, whether the company's activity related to data processing takes the form of newsletters or other marketing activities such as telephone calls, satisfaction surveys, etc... or, conversely, through social networks or websites, an inventory of processing operations must be made.

This census must also respect certain rules (set out in Article 30). The elements required for the establishment of censuses are :

1. The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officerPurposes of the processing operation
2. Description of the categories of data subjects and categories of personal data
3. Categories of recipients to whom the personal data have been or will be disclosed, including
4. recipients in third countries or international organisations
5. Where applicable, transfers of personal data to a third country or to an international
6. organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation attesting to the existence of appropriate safeguards
7. Where possible, the time limits for the deletion of the various categories of data
8. To the extent possible, a general description of the technical and organisational security
9. measures referred to in Article 32(1)

In addition, the company must have a controller or controller's representative and a register of all data processing activities.?

Compliance in data storage and access

The company must comply with the storage of data and logically with its access.

This measure is put in place in order to protect the data of users. The implementation of a secure storage system is a major point of the GDPR.

If a data loss or data breach occurs during the course of the company's business, this will result in severe penalties for the company due to the potential damage to people's data and the adverse uses to which it may be put.

Furthermore, the company must inform the persons concerned by the processing of their data of the location of the storage.

This means that no department or person not authorised to access the data should be able to approach the data, regardless of whether it is being processed, completed or awaiting processing. As the consent-based approach implies a mutual commitment, it must be possible for users to opt out at any time.

Users must also be able to make changes to their information. The company should ensure that data subjects can access their data for updating purposes as soon as necessary or requested.?

Compliance in data deletion and transfer

The company processing data of EU nationals must comply with the deletion and transfer of data.

As mentioned in the previous point, it is necessary to be able to transfer personal data from the storage system to third party services when it is requested by a user.

The GDPR does not specify whether storage systems should use only EU servers or not.

A user may also request the deletion of all personal data that he or she believes is not being used appropriately by the company.

In both cases (deletion and transfer), companies are not entitled to penalise a user for making such a request and are obliged to respond promptly to the request by making the necessary arrangements for its completion.

Finally, users must be able to access their data in a readable, understandable and usable way at any time and also be able to download the information collected about them. The download of the information file must be password protected.?

Compliance with the pre-existing contact list at the entry into force of GDPR

The GDPR does not only apply to data collected after its applicability on 25 May 2018, but also to data collected before the entry into force of the Regulation.

The company must therefore check whether it has an inventory of the data collected before 25 May 2018 and whether it has retained evidence of consent.

If the data was not collected under the opt-in system according to the collection conditions set out above, a new authorization must be obtained in order to continue working with the data, in accordance with the points mentioned above. Furthermore, the company must eliminate inactive contacts.

Compliance in the verification of the origin of the addresses collected

The company must check the origin of the addresses of the data collected, i.e. telephone numbers and e-mail addresses.

Within the framework of the GDPR, it is advisable to check whether the company has kept traces of the origin of the contacts.

It is then necessary to remember whether they come from an opt-in database collected, from a co- registration partnership, from a database purchase, etc...

The company must be able to know and prove how the contact arrived in the database.?

Compliance in the purchase of contact lists

The GDPR does not restrict the procurement of databases through sales. However, the company must ensure to the extent of the information available to it that the contact list has been obtained in accordance with the measures imposed by GDPR.

Compliance with profiling

Profiling is still permitted under the GDPR provided that the rights of the contacts whose data is used are respected.

Compliance on unsubscribing

This compliance is more related to e-mailing. In the context of email marketing, recipients of emails must be able to unsubscribe in a simple and clear manner at any time.

An unsubscribe link must be included in the e-mail sent and must be clearly visible so that the subscriber can, if he or she so wishes, unsubscribe from the marketing communication concerned and from all marketing communications that may be sent in the future. In addition, a return email address should also be included so that the subscriber can use it if necessary.

Thus, making it easy for contacts to subscribe and unsubscribe is important to ensure compliance with the GDPR.

Compliance with transparency on collection

In order to make a stronger case for transparency of collection and to push the legal obligations further than cookies warning banners, GDPR requires companies and entities to detail how data is collected, stored, used and potentially transferred.

In order to ensure transparency and make data collection GDPR compliant, any data collector should, if they have not already done so, simplify and expand their privacy pages.

As with all compliance, the listing of these requirements must be understandable to the user so that they understand in a simple way how their information is being collected and how it will be used. Collectors should communicate all of these points.?

Setting up a DPO for certain structures (Data Protection Officer)

A DPO has special and diversified skills such as legal, IT, communication, cyber security skills but is above all a specialist in data protection and GDPR.

The GDPR imposes a legal obligation to appoint a DPO but this does not concern all companies and entities.

The compulsory appointment of a DPO concerns public comapnies, companies processing sensitive?data (data related to health, data related to biometrics, political opinions and religious beliefs, etc.) and data requiring regular and rigorous monitoring.

The DPO may be appointed from outside the company, which is then not obliged to recruit a DPO exclusively for its activity.

For other companies or entities which do not work with this type of data, there is no obligation to work with a DPO, even if the interpretation of the provisions of the GDPR reflects a logical recommendation.

It should be noted that calling on a DPO can have competitive advantages in terms of a security label that can be displayed and shown to users, as well as the certainty of a legal framework that complies with the GDPR.?

III. Steps and process for thinking about compliance

In view of the essential compliance requirements set out in section II, there are several lines of thought that can be followed in a compliant data management.

First of all, the company must know whether it is affected by the GDPR measures and, if so, what types of data are processed.?

—> Identification and determination of data processing :

This involves determining all the data processing carried out and the steps by which it is carried out. In short, to determine all the steps carried out by the data within the company, from collection to processing and deletion of data not necessary for the company's activity, as well as the precise identification of the data of European nationals in the case of several of these. The company must determine all the processing operations that require an analysis of the GDPR measures.

This will involve identifying the methods used or to be adapted in relation to the consent process, deletion, retention period, purchase and exchange of data (particularly for countries outside the EU), processing and related risks, identification and registration, et cetera...

In addition, the company must also determine, in the event that the legal obligation to use a DPO does not apply to it, whether it wishes to collaborate with a DPO or not.?

—> Checking for adequate protection :

In addition to the identification of the data processing, the company must also distinguish its protection measures in place or to be put in place.?

As the entire process must be secure, the company must regularly check (or secure and lock) the methods of access to data storage (internal access by employees or external access by viruses or hackers).

An identification of IT risks is also necessary as well as their evaluation.

The company is also required to anticipate the risks of potential attacks and the subsequent solutions.

In addition to being able to determine the data protection risks, the company must be able to inform the authorities within 72 hours in the event of a proven breach (data leakage, etc.).

The company subcontracting data to third parties in the context of exchanges or sales for instance, must seek to verify with its partners that the IT risks are correctly eliminated.

By identifying the risks linked to data protection, the company must regularly check that the protection systems are not obsolete.?

—> Establishing recurrent monitoring of data processing :

Identification is an ongoing process of reflection on data processing. The company or entity must ensure recurrent monitoring in this process because it must identify the risks and the processing and constantly verify the compliance of its activity with the GDPR standards.

In order to better identify the process of reflection regarding compliance, some entities or public bodies propose precise points of identification, such as the French National Commission for Information Technology and Civil Liberties, which suggests the following six points of identification :

? Identifying personal data processing and recording it in a register

? Appointing a person to lead the governance of your organisation's personal data ? Identifying the priority actions to be taken to comply with the GDPR

? Organising internal processes to ensure effective data protection

? Identification and management of risks

? Documenting your compliance with the regulation?

MORI Milian?