What’s GDPR & Who’s Affected?
On May 25th, 2018, the General Data Protection Regulation (GDPR) will enter into effect in the European Union. The new privacy laws will have a fundamental impact on how organizations handle data.The GDPR replaces the previous EU Data Protection Directive with the intention of modernizing data privacy laws across Europe. Online surveys, which are at the forefront of any consumer, market, or employee research, also need to be made compliant with the updated regulations. However, GDPR applies to more than just market research organizations and reaches far beyond Europe.If any part of your individual or organizational processes EU citizens data, regardless of whether that processing occurs inside or outside of the EU, then the GDPR applies to you. Storing any personally identifiable data within those categories is considered a processing activity and requires GDPR compliance.
Principles of the GDPR
The GDPR is more than just checking boxes to avoid a high-dollar fine. The principles of the GDPR are written with the notion of changing how we perceive and treat personal data. The major principles under Article 5 of the GDPR include:
Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimization: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the GDPR
Key Requirements of the GDPR
In preparation for the GDPR, AYTM has taken great strides to ensure we satisfy the following key requirements:Personal Data: any information related to a natural person or data subject that can be used to directly or indirectly identify the person is classified as ‘personal data’. Some examples of personal data include email addresses, photos, medical information, phone numbers, a device IP address or a mobile device ID.Lawfulness of Processing: the Article 6 of the GDPR requires that in order for AYTM to process a personal data, at least one of the following conditions must be met:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes (explicit consent);
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person (i.e. medical data);
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (i.e. population census).
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.