On May 25, 2018 the GDPR (General Data Protection Regulation, the EU privacy law) will take effect. It is a European Union law. Whether your business is EU-based, whether you company is located anywhere in the world but you process the personal data of EU citizens, you will be affected by the GDPR.
In order to better understand this complex topic, Kloudymail team will publish a sequence of progressively deeper articles.
When the GDPR will become enforceable?
The new European Union privacy law (GDPR) has been approved about two years ago, but it will take effect starting from May 25, 2018.
What does it change with the GDPR entering into force?
The GDPR regulates how your organization uses the personal data of UE citizens. You need to comply with the GDPR if you collect, change, transmit, erase, or in general if you treat this kind of personal data, whereas natural persons should have control of their own personal data.
The GDPR states that the effective protection of personal data throughout the European Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.
When it comes to inform citizens, according to the law the requests of personal data and the related information must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
How does the GDPR change how we collect personal data?
Generally speaking, and in particular speaking about e-mail marketing, nothing really changes in collecting personal data. Meaning: the double opt-in process will be still ok after May 25, 2018. Any person whose personal data are treated must be informed about it and we will have to make sure that people understand the scope of the treatment and every process on these information we are going to implement.
What is the so called “Assessment”?
The Data Protection Impact Assessment (DPIA) is one of the specific processes mandated by the GDPR. Organisations must carry out a DPIA where a planned or existing processing operation is likely to result in a high risk to the rights and freedoms of individuals. In other words, the DPIA can help you to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a data breach.
And what about Authorities?
Speaking of the Authorities, we don’t have a unique answer. The GDPR in fact doesn’t define an European Authority, but says that national Authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.
So far all looks clear, right? Anyway, no fear: this is just the first chapter of a more well-structured series because we want to avoid you any trouble in managing personal data in the age of GDPR.