The General Data Protection Regulation (GDPR) became enforceable on May 25, 2018, and has increased oversight for global privacy rights and compliance. We have prepared our business to embrace GDPR.
What is GDPR?
By now, you have likely heard of GDPR: the General Data Protection Regulation, a European privacy law approved by the European Commission in 2016. GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.
A regulation such as GDPR is a binding act, which must be followed in its entirety throughout the EU. GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and erase personal data. It will have a significant impact on businesses around the world.
When did GDPR go into effect?
GDPR was adopted in April 2016, and became officially enforceable on May 25, 2018.
Who is Affected by GDPR?
GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data residing in the EU. The latter is GDPR’s introduction of the principle of “extraterritoriality”; meaning, GDPR will apply to any organization processing personal data from the EU—regardless of where its processing take place. This means GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether they are processing personal data from the EU. GDPR also applies across all industries and sectors.
You should consult with legal and professional counsels regarding the scope of your obligations. In general, if your organization is in the EU, or is processing personal data of EU citizens or from the EU, GDPR applies to you.
What is the scope of GDPR?
The scope of GDPR is broad, and affects all personal data. Personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the broad reach of that definition. Personal data now includes not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. This means that, for Metadata users, a majority of the information that you collect about your subscribers and contacts is considered personal data under GDPR. Even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any individual.
Sensitive personal data (e.g. health or information that tells a person’s race or ethnic origin) will require even greater protection. You should not store any data of this nature within Metadata’s platform.
What are the consequences of non-compliance?
Non-compliance with GDPR can result in significant penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.
What does Metadata do to be compliant with GDPR?
Metadata has determined that it is subject to comply with GDPR, and was fully compliant with GDPR by May 2018, so our customers can confidently use our platform, knowing that their business partner abides by GDPR principles.
Metadata started GDPR preparation a long time ago, and, as part of this process, is reviewing (and updating where necessary) internal processes, procedures, systems, and documentation to ensure that we are ready when GDPR goes into effect. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users. Metadata, among other things will be:
In addition, Metadata will be prepared to address any requests made by our customers related to their expanded individual rights under the GDPR, including:
Differences between data controller and processor
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
A processor is the organization that processes the data on behalf of the controller.
GDPR has expanded the responsibilities of each party.
Controllers are responsible for data protection (including the obligation to report data breaches to data protection authorities); however, GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.
In the context of Metadata and our related services, in the majority of circumstances, our customers are acting as controllers. Our customers, for example, decide what information from their contacts or subscribers is uploaded or transferred into their Metadata account.
Cross- border data
GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. GDPR does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states, but GDPR requires that certain conditions be met before personal data is transferred outside the EU, with several different legal grounds that organizations can rely on to perform cross-border data transfers.
One requirement to transfer personal data set out in GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. Metadata is committed to treating all personal data received from the EU in accordance with GDPR requirements.
For Metadata customers, it means that our EU customers can continue to rely on Metadata to transfer their lawfully obtained personal data to Metadata under GDPR.
Metadata’s use of third-parties to process data
Metadata, like any other business, currently uses third-parties to provide various business functions like business analytics, cloud infrastructure, email notifications, payments, and customer support. Prior to engaging with any third party, Metadata evaluates their GDPR position, and executes an agreement requiring them to maintain minimum acceptable security practices.
Table of GDPR requirements for Metadata and its customers: