The General Data Protection Regulation (GDPR) comes with strong implications for all kinds of industries, and the market research industry is no exception. Since personal data collection is an essential part of many research projects, professional researchers and their survey software providers need to get prepared for the significant changes that are about to come. NIPO is convinced of the importance of GDPR compliance. Accordingly, we want to make sure that the NIPO organization and the Nfield platform are GDPR compliant. This is an important benefit for our customers, however, on their part, they will also have to make sure their organization and services are compliant. In order to help customers with this, NIPO will share information about GDPR and provide advice. We will also keep our customers updated on how we are working to be GDPR compliant. The GDPR becomes enforceable from 25 May 2018 after a two-year transition period, so get ready and read the most important GDPR information we selected especially for you. More Blogs will follow in the near future.
GDPR protects EU citizens privacy
GDPR is a new piece of regulation which will become law across the EU in May 2018. It replaces the 1995 EU Data Protection Directive. The aim of GDPR is to protect the fundamental rights and freedoms of all EU citizens, in particular, their right to the protection of personal data. It is a response to the public outcry over privacy and a common practice when some companies swap access to personal data for use of their services.
As a result, GDPR has been designed to give people more control over how their personal data is used and introduces tougher fines for non-compliance and breaches. It also makes data protection rules more or less identical throughout the EU.
Territorial and business scope
GDPR applies to any company that collects data from EU citizens regardless of the company’s location and country of origin. Typically, you can then think about four business scenarios:
- The company resides/ is located in the EU and collects data from EU citizens – GDPR applies.
- The company resides/ is located outside the EU (Asia, Americas, Australia, Africa) and collects data from EU citizens – GDPR applies.
- The company resides/ is located in the EU and doesn’t collect data from EU citizens – GDPR doesn’t apply.
- The company resides/ is located outside the EU (Asia, Americas, Australia, Africa) and doesn’t collect data from EU citizens – GDPR doesn’t apply.
What matters is whether the company deals with data belonging to EU citizens.
Who is who in data collection
GDPR defines two roles: controllers and processors.
A data controller determines the purpose (why) and means (how) of the processing, while a processor is responsible for doing the actual processing of the data on behalf of the controller. So the controller could be any organization, from a profit-seeking company to a charity or government. A processor could be for example an IT firm doing the actual data processing.
Both controllers and processors have a responsibility to abide by the rules provided in GDPR. What’s new is that GDPR places direct compliance obligations on data processors for the first time at EU-wide level. So, now data processors are subject to liability if they fail to comply with their contractual obligations (e.g. failure to report a data breach) to their controllers.
Personal data definition
Before GDPR, the directive defined personal data as any information relating to an identified or identifiable natural person.
GDPR specifies and broadens the definition of personal data to include online identifiers (cookies, IP addresses etc.), genetic data (an individual’s gene sequence), biometric data (fingerprints, retinal scans etc.), location data (GPS etc.).
Other data, like economic, cultural or mental health information, are also considered personally identifiable information. Genetic and Biometric data are considered as Sensitive personal data under GDPR.
Stricter rules for consent
GDPR significantly toughens consent rules. Under GDPR, consent must be an active, specific, informed and unambiguous action taken by the EU citizen. This also means that the passive acceptance methods, such as pre-ticked boxes and opt-outs, are not allowed anymore. Also, controllers must keep a record of how and when an individual gave consent so that they can demonstrate exactly what and when someone agreed to.
Opt-out consent also known as giving consent by not declining to give consent, means that an individual is given the option to decline consent. If the individual does not clearly decline consent, consent is granted. Pre-ticked boxes are boxes pre-ticked by the company, which takes the active consent action away from the individual.
New rights for EU citizens
Ultimately, GDPR puts the control of personal data back into the hands of EU citizens by introducing a number of new rights that bolster their position. The new rights especially affect how controllers can process and keep people’s data.
- The right to data access – EU citizens have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Companies must be ready to provide such an information within one month since the EU citizen’s request is submitted.
- The right to be forgotten – EU citizens have the right to demand that their data be deleted if it is no longer necessary for the purpose for which it was collected. They can also demand that their data be erased if they have withdrawn their consent for their data to be processed. The controller is responsible for telling other companies who the data has been shared with, to delete any links to copies of that data, as well as the copies themselves.
- The right to prevent profiling – means that it is not allowed to process and connect data from different sources with the intention to create the profile of an EU citizen and use such a composed information.
- The right to rectify – EU citizens can ask that inaccurate data be rectified or incomplete data be updated.
- The right for data portability – allows EU citizens to obtain their data from the controller it was provided to, and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily to another controller in a safe and secure way, without hindrance to usability.
Rising fines
It is the responsibility of the controller to inform the local data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of the company becoming aware of it. Those who fail to meet the 72-hour deadline could face a penalty of up to €10 million or 2% of their global annual turnover, whichever is higher.
For violations related to the lawfulness of processing (consent, legitimate interest etc.), data subject rights, and cross-border transfers, the data protection authority could issue a penalty of up to €20 million or 4% of their global annual turnover, whichever is higher.
Questions you need to ask and why they are important
There are several questions companies need to ask and answer in order to begin the process of compliance with GDPR, below you will find some questions that need to be considered:
1. What is the relationship between my company and NIPO, are we controllers or processors?
In the relationship between your company and NIPO, your company is the controller and NIPO is the processor. This means your company determines what data needs to be collected, and the purpose of collecting the data, and then NIPO processes the data collected on the Nfield platform.
2. Does my company process personal data?
The first thing any company needs to know is whether or not it processes personal data. This is relevant in order for the company to identify what type of personal data it has, does it include sensitive data? where is the personal data stored? who has access to this data? is this data shared with third parties? do you transfer the data outside the EU? Knowing the answers to these questions will improve efficiency, and enable you to access the data and act on it quickly and reliably.
3. Which lawful basis for processing is used by my company?
GDPR provides several lawful bases (consent, legitimate interests etc.) for the processing of personal data. The company needs to identify which one it uses to process personal data. It is important to identify the lawful basis you use for processing because it has an effect on individual rights. For instance, if you rely on someone’s consent to process their data, they will generally have stronger rights (e.g. request to have their data deleted).
4. Does my company have any procedures in place to handle data subjects’ requests?
Is there a software already in place that allows data subject’s exercise their rights (e.g. right to be forgotten), is there a timesale to respond to data subject’s request (e.g. right of access)? Knowing if you already have procedures, will enable you to quickly respond to data subject’s requests, and if there aren’t any procedures in place, then you can begin to work on having new procedures.
5. Is my company prepared for a data breach?
In cases where there is a data breach, do you have mechanisms in place that detect data breaches? are there any processes in place to address data breaches? This is important because if you have mechanisms to detect data breaches, it allows you to address the breaches quickly and mitigate its possible adverse effects, where appropriate effectively.
This was the first of a series of blogs on GDPR becoming effective. Watch out for our regular updates. If you have any questions in the meantime, please get in contact with our Sales team by sending an email to sales@nipo.com
Disclaimer: This blog is made available by NIPO for the purposes of providing general information and a general understanding of GDPR, and should not be considered or used as a substitute for legal advice. NIPO does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.