Listrak is committed to ensuring the success of our clients, which is why it is imperative to know that on May 25, 2018, a new privacy law, the General Data Protection Regulation (GDPR), takes effect in the European Union (EU). This law not only impacts companies that are located in the EU, but also companies that collect data from any person in the EU.

We are providing you with this resource for GDPR, which provides a summary of the law. This is not a complete breakdown of the law and how it may apply to your business. Listrak does not provide legal advice, however we feel it is important to provide details on how the European Union General Data Protection Regulation will affect your business. We advise you to consult with your company’s legal team for additional details.

1. What is GDPR?

GDPR stands for the General Data Protection Regulation that globally impacts the processing of all personal data of residents in the EU.

2. What is the date that GDPR will begin to be enforced?

May 25, 2018

3. Does GDPR impact my organization?

GDPR applies to your organization, if you answer “yes” to any of the following questions:

  • Is your company an establishment in the European Union?
  • Does your company offer goods or services to the residents of the EU?
  • Is your company monitoring an EU individual’s behavior? Such as creating a marketing profile based on their user history or predicting their propensity to purchase based on their activity.

Businesses should plan to assess the impact of your company’s data processing practices and how that could potentially affect the brand perception of the company even if GDPR does not apply to your organization.

 

4. What is the reasoning behind initiating GDPR?

The GDPR aims primarily to give control over personal data back to individuals in the EU and to simplify the regulatory environment for international business by unifying the regulation within the EU.

5. Controller vs. Processor

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

6. Does my company need to appoint a Data Protection Officer?

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Article 37). If your organization doesn’t fall into one of these categories, then you may still choose to appoint a DPO.

7. What is considered personal data?

Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

8. What are the penalties for violating GDPR?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g., a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

Steps to being GDPR compliant:

  • Consult your legal counsel.
  • Review the law to become more familiar with GDPR.
  • Assess your organization’s data processing practices and outline the steps it will take for your organization to become GDPR compliant.
  • Develop a plan for handling consent for both new subscribers, as well as existing subscribers.
  • Develop a team of in-house GDPR experts.
  • Outline a plan, complete with timelines and ownership of activities. Be sure to include consent management.
  • Begin executing on the GDPR plan; be sure to document actions taken toward compliance.

 

Listrak's Commitment to Data Protection

Listrak takes data privacy seriously. We have taken steps to enhance our products and services. Below, we’ve outlined what we’ve done:

  • Listrak has self-certified under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield to accept transfers of personal information from the EU.
  • Listrak is developing a process to assist clients when responding to data subjects’ requests.
  • Listrak is evaluating data collection and use practices and working with clients and vendors to ensure GDPR readiness.

 

GDPR Resources

Listrak links to these resources as a convenience; always consult your company’s legal team for advice specific to your business.

 

 

Interested in speaking with us about GDPR? Email regulations@listrak.com.