ActiveDEMAND GDPR Compliance
What is GDPR?
The GDPR (General Data Protection Regulation) is a European privacy law approved by the European Commission in 2016. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data.
The GDPR was adopted in April 2016, but will officially be enforceable beginning on May 25, 2018.
Who does it apply to?
The GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies to all industries and sectors.
What is considered Personal Data?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Personal data will now include not only social security numbers, names, physical addresses, email addresses, but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more.
What does Process Personal Data mean?
In the context of GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR.
What are the GDPR implications for marketers?
Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller
- Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented, or the processing is in the organization’s “legitimate interests.” This means that marketers have to be very clear in their engagements as to what personal data is being collected, how it is being used, and give the audience the opportunity to get more information, and the ability to be forgotten.
Does the GDPR say anything about cross-border data transfers?
Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers. One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy decision.
How does this relate to ActiveDEMAND?
ActiveDEMAND is excited about the GDPR and the strong data privacy and security principles that it emphasizes, many of which ActiveDEMAND has instituted long before the GDPR was enacted. ActiveDEMAND, as a Canadian company, has had to help marketers comply some of the toughest privacy legislation in the world. The Canadian Anti Spam Legislation (CASL) was implemented several years ago and as such, ActiveDEMAND helped Canadian companies comply well before CASL was enacted. At ActiveDEMAND, we believe that the GDPR is an important milestone for the EU and the rest of the world in the data privacy landscape; We are committed to achieving compliance with the GDPR on or before May 25, 2018.
ActiveDEMAND’s GDPR preparation is part of this process we are reviewing (and updating where necessary) all of our internal processes, procedures, data systems, and documentation. We have, among other things:
- Updated our Data Processing Agreement to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to ActiveDEMAND and permit ActiveDEMAND to continue to lawfully receive and process that data;
- Updated our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and per