The General Data Protection Regulation (GDPR) is a binding regulation created by the European Commission. The regulation, which came into effect on the 25th of May 2018, has replaced former European Union data protection directives and diverse national laws.
Affected businesses have to meet several requirements in relation to how they collect and use the personal data of EU citizens – whether or not the company itself is European.
The GDPR was introduced in order to strengthen the citizens' right to data protection and – in the longer run – to simplify the processes around this data for the organizations.
Complying with the GDPR involves comprehensive changes to your policies, processes and maybe even systems.
If yes, you are considered a data controller no matter where in the world you are located and have the main data protection responsibility under the GDPR. You need to meet several requirements.
If yes, you are considered a data processor. Regardless of where in the world you are, you have to meet several requirements under the GDPR:
By now you probably get the gist of it, but maybe there are some questions. Don't worry, we have listed 10 of the most common questions. Click to see the answers.
It all depends on whether you store or use personal data on European citizens. That goes, whether those citizens are customers, prospects or employees. If you have European employees, you probably store their names, addresses and bank information. Data like that is considered personal data in the eyes of the European Commission and you need to implement parts of the regulation, for instance, employees must give consent to the use of their data and have rights such as the right to rectification and you need to be able to document all of this to authorities.
It depends on the type of data you are processing. Can the data be used to identify individuals? If yes – and for most B2B companies, the answer will be yes – you are processing personal data in the eyes of the European Commission and need to comply on the same terms as B2C companies.
The simple answer is: Yes, you are. If you process personal data of European Union citizens, you need to comply no matter where you’re located – EU member or not.
No, not necessarily. Although an early draft of the GDPR specified that the exact number of 250 employees was the trigger for whether or not you need a DPO, the final regulation does unfortunately not have quite as clear guidelines for this. DPOs are mandatory for all public authorities, for organizations that conduct large-scale processing of special categories of personal data (such as health data), and where the core activities of a business involve "regular and systematic monitoring of data subjects on a large scale". Most large retailers fall under this definition. If you are unsure whether or not this applies to you, we suggest you seek legal advice.
Yes. The GDPR sets out a so-called “Data Storage Limitation”, meaning that personal data cannot be stored longer than is necessary for the processing purposes. Personal data may be stored for longer periods as long as the data will be processed only for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.
Yes. It’s now a consumer right called the “Right to Data Portability”. The GDPR explicitly says: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
The GDPR has for sure a big impact on the way you do your marketing not to mention who you can target, and that goes whether you’re in B2C or B2B. The consent requirements ask of you to collect clear consent from each targeted individual that makes it clear that he or she is happy for you to use their data and market to them. Before, you could collect contacts and put them in your database and then use their data to further market to them on platforms and with purposes differing from where and for what the data was originally collected. With the GDPR, the consent has to be specific to that particular processing operation, meaning that you cannot request open-ended or blanket consent to cover future processing. If you want to market to someone in a new way, you will have to collect a new consent for this specific purpose. Furthermore, you need to properly manage all of these consents to be able to document it towards authorities upon request.
Yes, but the receivers have to live up to certain data protection standards. The GDPR permits personal data to be transferred to non-EU organizations and countries which have been found by the European Commission to provide an “adequate” level of protection or under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).
The GDPR is also created to make it simpler for organizations to manage personal data in a multinational environment and to minimize the risk of businesses being involved in seriously damaging data breaches. The GDPR has in most aspects replaced different national laws, with the aim of harmonizing data protection rules throughout Europe. Additionally, With the introduction of a “Supervisory Authority” in each member state, organizations have one place to go to with all their personal data-related issues.
Not complying can potentially result in huge fines. Sanctions for offences relating to control and mitigation are up to 10 million Euros or 2% of the total worldwide annual turnover while offences relating to rights and obligations are as high as 20 million Euros or 4% of turnover.
The foundation for complying with GDPR is that the personal data you collect, store and process is updated, accessible and has clear data governance programs and business rules applied. Master data management can help you do this, optimizing your personal data beyond the GDPR.
What is master data management (MDM)?
Master data management (MDM) is the core process used to acquire, organize, synchronize, enrich and share master data according to the business goals and operational strategies of your company.
Master data can take the form of product, customer, supplier, location and asset information, in addition to any information sources that drive your business.
The efficient management of master data in a central repository gives you a single authoritative view of information and eliminates costly inefficiencies caused by data silos.
MDM supports your business initiatives and objectives through identification, linking and syndication of information and content across products, customers, stores/locations, employees, suppliers, digital assets and more.
In sum, MDM provides the data transparency you need to run your business better and achieve compliance with regulations.
An MDM solution from Stibo Systems allows you to gain insights across several data domains and achieve synergetic effects.
Build trust with suppliers and partners through regulatory and industry compliance, and customer loyalty via adherence to data privacy standards.
Ensure data for critical decisions is accurate and updated via data governance, automate error-prone manual processes and guard against costly regulatory violations.
Fuel AI, IoT and real-time personalization initiatives with the high-quality data they demand. Drive brand differentiation and deliver greater value, success and ROI.
Proactively pivot or adapt to evolving markets or customer needs. Respond to challenges, quickly onboard products, add channels and manage expansion and M&A.