Listrak is committed to ensuring the success of our clients, which is why it is imperative to know that on May 25, 2018, a new privacy law, the General Data Protection Regulation (GDPR), takes effect in the European Union (EU). This law not only impacts companies that are located in the EU, but also companies that collect data from any person in the EU.
We are providing you with this resource for GDPR, which provides a summary of the law. This is not a complete breakdown of the law and how it may apply to your business. Listrak does not provide legal advice, however we feel it is important to provide details on how the European Union General Data Protection Regulation will affect your business. We advise you to consult with your company’s legal team for additional details.
GDPR stands for the General Data Protection Regulation that globally impacts the processing of all personal data of residents in the EU.
May 25, 2018
GDPR applies to your organization, if you answer “yes” to any of the following questions:
Businesses should plan to assess the impact of your company’s data processing practices and how that could potentially affect the brand perception of the company even if GDPR does not apply to your organization.
The GDPR aims primarily to give control over personal data back to individuals in the EU and to simplify the regulatory environment for international business by unifying the regulation within the EU.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Article 37). If your organization doesn’t fall into one of these categories, then you may still choose to appoint a DPO.
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g., a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Listrak takes data privacy seriously. We have taken steps to enhance our products and services. Below, we’ve outlined what we’ve done: