The EU General Data Protection Regulation (GDPR) is a new regulation that addresses the collection, use, processing and transfer data of the personal data of European Union citizens.
It applies to all European Union member states and any entity that transfers the personal data outside of the European Union.
GDPR is a major concern for market research and insights organizations as:
- Research is global.
- Market research and insights organizations often collect personal data.
- Personal data is often transferred by market research and insights organizations across international borders.
If your company collects personal data from European Union citizens, GDPR applies to you.
Essential steps to address
Below are some of the steps Cint has addressed. We suggest that any organization interested in GDPR compliance, address these as well:
- Build company awareness and obtain management support
- Perform a Data Protection Impact Analysis (DPIA)
- Appoint a Data Protection Officer (DPO)
- Review and document the data you hold and process
- Review and update the communication of privacy information (privacy policies or notices)
- Address the rights of Data Subjects, including subject access requests
- Review the legal basis for data processing
- Address the requirements with respect to consent
- Review the requirements with respect to children
- Address data breach requirements
- Address data protection by design
- Identify an enforcement agency
Questions about the GDPR
As a global company whose day-to-day business deals with the collection and processing of personal data, data protection compliance, including GDPR is a focus for Cint and our clients and partners.
Below are some of the questions (with answers) that we’ve received from clients and partners:
The General Data Protection Regulation (GDPR) is a European Union Regulation (Regulation (EU) 2016/679) concerned with the protection and free movement of personal data and the rights of individuals, including children. It replaces the EU Data Protection Directive (95/46/EC) from 1995. As a regulation, the GDPR is a binding legislative act, unlike a directive, which sets out a goal for EU member states to achieve.
After four years of preparation and debate the GDPR was approved by the EU Parliament on the 14th of April 2016 and entered into force on the 25th of May 2016. The enforcement date will be the 25th of May 2018 – at which time those organizations in non-compliance will face heavy fines.
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. With a directive, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.
The GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
As EU Data Privacy Directive, the GDPR includes the concepts of a data controller and a data processor. A data controller is an entity that determines the purposes, conditions and means of the processing of personal data, while a data processor is an entity that processes personal data on behalf of the controller.
Personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. Personal data can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, a device IP address or a mobile device ID.
The conditions for consent have been strengthened. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must also be as easy to withdraw consent as it is to give it.
Data breaches which may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay.
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
GDPR applies to any US company that collects personal data from EU citizens and transfers it out of the EU. An important note for US companies that use the Privacy Shield Framework is that Privacy Shield only addresses the data transfer requirement. A US company, like any companies in the EU must comply with all the requirements of GDPR.
The UK Government has indicated it will implement an equivalent or alternative legal mechanisms (to GDPR). The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO (the Data Protection Officer in the UK) and UK Government as an effective privacy standard.