General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR is now in effect, and replaces the 1995 Data Protection Directive (Directive 95/46/EC).
It was adopted on 27 April 2016. It became enforceable on 25 May 2018, after a two-year transition period.
Unlike a directive, it does not require national governments to pass any enabling legislation and so it is directly binding and applicable.
With GDPR now enforced, it changes the way businesses collect, store and use customer data.
Questions to consider when deciding on how GDPR might affect your Business and Systems:
Are you collecting Personal Data?
If so, what data fields are needed and for what business processes?
Consider that consent is needed for each group of business processes. Example: You provide 3 main services:
- Track and certify Member data meets industry certification requirements;
- Ability to pay membership dues and purchase products;
- Provide and track Member training and education.
Some data elements are needed in each process like First Name and Last Name. Some data elements are needed only for Training, like attendance dates and times or transcripts.
How are you logging Consent? When and how it is given?
In what form is Personal Data being exported or stored outside of your systems?
When someone asks to be deleted, how will you maintain integrity of other records while still deleting the required data?
Example: If a customer requests deletion of their data. The First Name and Last Name can be deleted from the Contact records, but is the Contact record is still required to be linked to past Invoices?
What do you do when that person comes back and allows for data to be stored again. Can you reconcile past records back to the original person?
Example: The Customer returns and wants to purchase a product again. Is their past history recoverable? Do you re-associate past invoices to the returning Customer?
How does the change in consent affect membership in marketing lists and efforts?