What is GDPR and What Does it Mean for My Organization?

by Joanna Pineda Posted on April 5, 2018

Guest post by Tanya Kennedy Luminati, MatrixMaxx Product Manager

There is a new acronym taking the world by storm right now: GDPR

If you’re in Europe, you’ve probably heard of this. If you’re here in the United States, you may not have heard it … yet. But the concepts of Privacy and Security that it champions are moving to center stage all over the globe, so it is important we all pay attention and start our process shift now.

What is GDPR?

The nations of the European Union (EU) take privacy very seriously, and each country previously had its own laws. The General Data Protection Regulation (GDPR) was approved by the EU Parliament in 2016 in order to unify the various data privacy laws across Europe.  The EU has a dedicated website where you can read the full GDPR details, and it is quite a long read.

Who does GDPR apply to?

If you hold and process any Personally identifiable information (PII) in any of your systems for anyone living in the EU, this impacts you.

PII is any data that can be used on its own or with other information to identify a particular individual: name, phone, email, address, etc. Processing is just about anything you do with that data. Any type of marketing, for example, is considered to be processing. The GDPR states that you can’t process PII data unless you have lawful grounds to do so. The GDPR affects your systems, your processes, your data, your customers/members, your 3rd party vendors, and your partners.

Doesn’t GDPR only apply to European-based Companies?

No. It applies to any organization offering goods/services to EU residents. The EU refers to this concept as Increased Territorial Scope (extraterritorial applicability).

When do these new regulations go into effect?

GDPR actually started 2 years ago. However, enforcement doesn’t begin until May 25, 2018. So as the humans we are, everyone has waited until the last minute to grasp these new regulations with both hands.

What are the key facets of GDPR?

You must have grounds for the lawful holding and processing of data. These include:

Consent is getting a great deal of attention as marketing now requires explicit “provable consent” in order to be considered lawful under the GDPR. For example, if you haven’t explicitly asked an EU resident in your database if they’d like to hear about some of your upcoming events, you probably can’t lawfully market to this person!

Other important facets beyond the concept of lawful processing and consent include:

Are Membership Organizations (Trade Associations, Professional Societies), Not-for-Profits, and Non-Profits exempt from GDRP?

No. They are not exempt.

But … Wouldn’t someone joining my association as a member be implicitly giving me lawful grounds to process their data?

Not necessarily. If they join as a member, it would probably be lawful processing to send them a confirmation of their membership, but you can’t start marketing association products and services to them without consent. This is an area where a GPPR consultant could be useful to you, if you have a lot of EU residents in your data or you actively market/appeal to persons living in the EU.

How is GDPR going to be enforced?

The penalties and fines, which will kick in starting May 25, 2018, are steep. There are obvious ways that EU-based organizations and foreign organizations with EU locations can be penalized. The question of how external organizations will be held to GDPR compliance is being discussed in a variety of articles and posts.

Next up, we’ll discuss how to become GDPR compliant. Stay tuned!

 

This is the first of severalMatrix installments on GDPR, Privacy, and Security. Please note: we at Matrix are not lawyers or GDPR consults; do not take this info as absolute. Use this information as a starting point in:

 

3 replies on “What is GDPR and What Does it Mean for My Organization?”

The EU implementing privacy laws like GDPR is them adjusting with the times. Creating a law to protect the data and services of customers should be a universal idea, especially with the rise of cryptocurerency. Thank you for sharing, I can’t wait to see how business owners can remain compliant with these new regulations.

The possibility of GDPR going global is great news, especially with the issues Facebook just had with people’s personal information. I try my best to be smart with the information I share online, also keeping my antivirus software and firewall up to date. Data breaches and cyberattacks are happening daily, snatching up personal and banking information that can later be exploited. Hopefully the penalties that GDPR plans to hand out will force companies to take more action in protecting their customers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles