In my last article, I explained the genesis of GDPR is in Europe, but the impact of GDPR will be felt by all global companies with any European contact data. I also went over that it happens in May 2018, you need to appoint a data protection officer to coordinate the project, and I provided a 10 point checklist to help you get the ball rolling.
In Part II, let’s look under the hood at some important factors that don't normally get mentioned. To prepare for GDPR, here’s a simple overview of 12 key changes marketers must consider.
1. Personal Data, Data Subject and Natural Person
Under GDPR, the term "natural person" replaces "data subject," and there is a much broader definition of "personal data" that includes various forms of personal or online identifiers.
2. IP Tracking
There is already a significant debate about whether IP addresses constitute personal data. Various regulators and court cases have asserted this is the case, but further clarification will be required on this point, which will have massive ramifications for the online advertising industry.
3. Does 'Natural Persons’ Apply to B2B?
While companies are not "Natural Persons," individuals who work at those companies are, so the GDPR will apply equally to consumer and business-to-business data.
4. Data Processing Changes Under GDPR
Processing means: "Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." This definition is very broad, and is likely to cover the vast majority of business activities using personal data.
5. Data Controller Changes Under GDPR
In effect, the organization that collects and processes the data will be the "data controller" and has the main responsibility for compliance and accountability for the data it holds.
6. Data Processor Changes Under GDPR
Under GDPR, "Processor" means: "A natural or legal person, public authority, agency or any other body who processes personal data on behalf of the controller."
There are new requirements in GDPR designed to make processors share the accountability for data protection compliance. They will also, for the first time, be jointly liable for breaches, which require compensation of individuals for damage caused by non-compliant processing.
7. Special Categories of Personal Data
(formerly called ‘Sensitive Data’)
Special categories of data are afforded extra protection under GDPR. These categories will, in most cases, require explicit consent for processing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Genetic data (new)
- Biometric data (new)
- Data concerning health or sex life
- Sexual orientation