GDPR and You – An Introduction – Part Two
In part one of our introduction to GDPR, we looked at how GDPR will have an effect not only on those businesses that are based in the EU but also those companies from outside the region that have business interests there. In this week’s article, we will delve even deeper into content management systems and personal data, as well as some of the new ways in which individuals will have their rights extended. As with last week, this article is organized into questions and answers to help you find your way around this tricky topic even better. So let’s get stuck into some of the nitty-gritty of GDPR.
In terms of content management systems, in what way will GDPR affect how companies do their business?
Firstly, it is important to point out that there are many features in content management systems that work with personal data. You should start with these features, which can include personal data, such as the type of email, newsletter subscriptions, or web analytics. For example, as I wrote last week, with web analytics, you must be aware of whether and what type of consent you need to have. Moreover, you might need to know what the visitor’s nationality is—these factors are important when assessing the applicability of the GDPR for a visitor from a particular country. For email marketing, you need to collect the email address lawfully, for example, you need to get proper consent from the data subject to use their email to send newsletters, etc.
And there are new rights that the data controllers must be capable of providing the data subject with. For example, the right that the data subject can request a copy of all the personal data you collect about them. Your CMS should be able to export the data to give it to the client. And the data subject also has the right to take all of that data you give them somewhere else and upload it into a different CMS. So the content management system must be able to export and also import the data.
Should organizations appoint a Data Protection Officer (DPO)? Is there a workaround?
This depends on the type of the organization. In general, there are three different scenarios in which a company has to appoint a DPO.
- The first one is if the processing is carried out by a public authority or body.
- Secondly, for private companies, the conclusion depends on whether their core activity depends on them collecting and processing personal data, meaning, those are the key operations necessary to achieve the controller’s or processor’s goals. They have to appoint a DPO if their core activities require the systematic and regular monitoring of data subjects on a large scale.
- The third thing is if, as a core activity, the organization processes special categories of personal data (sensitive data) or personal data relating to criminal convictions and offenses. By special categories of data, GDPR means things such as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.”
- One thing that might exempt many companies is the large-scale criterion—although it is not 100% clear what this means. However, there is an opinion of the special Article 29 Working Party, which is an EU body interpreting data protection rules. It published examples of large-scale work, such as: “processing of customer data in the regular course of business by an insurance company or a bank, processing of personal data for behavioural advertising by a search engine or processing of data (content, traffic, location) by telephone or internet service providers.” They believe a lot of companies that are not undertaking such sizes of work will be exempt from the large-scale criterion.
- Although many companies are exempt based on previous criteria, it can still change based on the Member State’s national legislation. For instance, in Germany, where the conditions for DPO appointment are usually stricter.
What rights will individuals have under GDPR?
I have already mentioned data portability rights. Then there is the right to have personal data processed lawfully. There are notification rights, where an individual must be informed that their personal data will be processed and they can ask companies directly whether they are using their personal data. Then there is the most famous right – the right to be forgotten or the right to erasure. It means that data subjects have the right to demand that a data controller erases all personal data they have about them. However, there are situations in which the data controller is not obliged to erase the personal data, such as freedom of expression and information, public interest, etc. And, of course, the CMS must be able to do this. And it also includes other places where the company has shared the information, for example, CRMs, as well as to other subcontractors or parties.
Everyone talks about GDPR as if it is the devil incarnate. What are the positive aspects of it?
Individuals will have a lot of rights and power over which personal data is collected. It should make things as transparent as possible. And if a person consents with personal data being processed, they consent with something they understand and of which they know the consequences. The EU accepts that personal data has value and it’s necessary to protect it and keep it secure. Plus, there is the clarity of responsibility. And companies that state that they are fully GDPR compliant, then the impact could mean the reputation of the company increases. So it is not all doom and gloom.
Some of these topics have a far-reaching impact on the businesses of many of our readers. We would love to know your opinion on the points raised. In terms of readiness, are there any factors that you have started to address, or are there some that you are dreading? Share your thoughts with us. We would be interested to hear what you have to say.
By Duncan Hendy in Development
Posted: Wednesday 02 August 2017