Most likely, you have heard about upcoming new legislation in relation to the processing of personal data. This General Data Protection Regulation (GDPR) will be in effect per May 25th, 2018, and has a big impact on Market Research, as well as other industries.
In many market research projects, personal data is being collected, which means you have to have a basic understanding at least, of what GDPR entails. In this article we want to inform you about steps you can take to ensure you comply with the new legislation, to avoid potentially high penalties.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission, intended to strengthen and unify data protection for all individuals within the European Union (EU). The GDPR aims primarily to give control back to citizens and residents over their personal data (any information relating to an identified or identifiable natural person (data subject); this includes name, email address, but also IP address, location data, gender, financial data, medical records, etc.).
In this light, we can define three roles:
Data Subject - the person about whom the data is stored
Data Controllers - the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processors - the natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
In the case of Nebu and your company, you are the Data Controller, and Nebu typically acts as Data Processor.
Controllers and processors have a joint responsibility to abide by the rules provided in GDPR.
According to Article 5 from the EU GDPR, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to the processing of personal data (which are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data).
Data processors need to implement the necessary controls to ensure that they comply with the GDPR, as well as enable the data controller to do so. In Q1 of 2018, Nebu will share tips and tricks with its clients on how to further ensure compliance in practice.
What is the impact of GDPR?
GDPR introduces several changes, compared to the current situation. Most notably there are:
The right to data access - EU citizens will have the right to access all personal information a company holds on them. As well as how long it is stored, why that information is kept and who has access to it. This information must be provided to any ‘Data Subject’ who requests this, within one month after the request is submitted.
The right to be forgotten - EU citizens can demand their data be deleted if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if they withdraw consent on which the processing was based originally.
The right to rectify data - EU citizens can request that data be altered/rectified or incomplete data be updated.
The right to prevent profiling - it is no longer allowed to process personal data and use this for the purpose of evaluating certain personal aspects relating a natural person, without consent.
It is highly recommended to review whether your company has processes in place to deal with the above mentioned requests.
In future blogs, we’ll be addressing related topics like Data Breaches, Privacy by design and default, Data Processing Agreement (DPA), and how you can comply with aforementioned requests from “data subjects” within the Nebu suite.
Disclaimer: This blog was created by Nebu in order to provide a high-level, general understanding of GDPR, and should by no means be considered or used as a substitute for legal advice. Nebu does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.
If you would like to ask a GDPR related question, please submit it via the form on the right.