General Data Protection Regulation (GDPR) – Questions and Answers – Part 2
Friday, June 12, 2020
We’ve extended our GDPR FAQ list (with part 2) for better understanding of the topic with few real-world scenarios & issues people are facing, and our responses to their queries.
If you’re not sure what GDPR really is, please go to our first post of GDPR – A complete Guide.
You can also refer our FAQ – part 1 for FAQ around GDPR technical discussions.
GDPR – Can I email potential customers?
Sending your email campaigns, doing marketing, running a business you probably process personal data. If at any point you process personal data of EU citizens, this processing should be GDPR compliant – that is to follow certain principles. Under GDPR, individuals have the right to be informed about what data you collect, why you are collecting it and how you intend to use it.
Now if we discuss about potential customers- It can be of two types: End-clients and B2B Business Customers.
For Business customers or B2B emails, Regulations like PECR (the Privacy and Electronic Communications Regulations of 2003) comes in effect, which means that business to business communications do not require opt-in consent.
While for direct end-clients, Opt-in consent is mandatory. If you have not sought Opt-In consent from an existing client, still you can send mail, but first seek opt-in consent. For new client, you must take their consent first, before you send any business, marketing, or sales email. Few points which you should consider before sending an email to direct end client:
- Make sure that target audience is appropriate and valid
- Explain legitimate interest and intention in your mail
- End users should have a quick and easy way to Opt-out if they do not need further communication from your side.
- Regularly cleanse and validate your records to keep complaint with GDPR
GDPR- Do I only need consent if I’m sending bulk emails? What about individual outreach?
Let’s keep this simple: There is no legal difference between bulk emailing and one-to-one emailing when it comes to cold outreach under GDPR. That means even your “Just reaching out” emails need to have prior consent in order to be legal.
If you’re unsure if you have consent from a prospect to contact them, you should not take a chance to drop an email.
How much are GDPR fines and penalties?
Failure to comply with GDPR can result in a fine ranging from 10 million euros to four percent of the company’s annual global turnover. Fines depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner or not.
The maximum fine is of 20 million euros or four percent of worldwide turnover – whichever is greater.
How much will GDPR compliance cost?
GDPR compliance costing will depend on multiple factors and varies hugely. Ernst & Young, reported that the world’s 500 biggest corporations are on track to spend a combined total of $7.8 billion to comply with GDPR. Your roadmap to GDPR compliance will include some or all of the steps below and the true cost to comply will depend on how and at what scale each step is completed:
- Assigning a Data Protection Officer
- Maintaining Inventory
- GAP Assessment
- Policies and Procedures
- Compliance and Auditing
GDPR fines so far?
To date, companies have been fined millions of euros for GDPR violations, including massive €50 million and £99 million judgements in 2019 against Google and Marriott respectively. In July 2019, the British Information Commissioner’s Office issued a record fine of £183 million (1.5% of turnover) against British Airways. Similarly, many fines has been imposed on companies for non-compliance.
Are GDPR fines insurable?
Under the two-tier structure, the most serious GDPR infringements could bring fines as high as €20 million or 4% of global revenue, whichever is greater. For other breaches, authorities could impose fines of up to €10 million or 2% of the total worldwide annual turnover from the preceding financial year, whichever is higher.
Several carriers are offering policies with coverage for insurable GDPR fines and penalties. Reputed legal counsel foresees no prohibitions to insurability of GDPR fines and penalties. Insurers offering such coverage have signalled that they anticipate paying related claims if legally permissible.
The regulatory coverage is of course subject to all of the policies terms and conditions, including significantly the policy exclusion precluding coverage for “ a wilful, intentional deliberate, malicious, fraudulent, dishonest, or criminal act or omission,” subject to a requirement that final judicial determination has established that the precluded conduct occurred.
Given that cyber insurance is still a relatively new product on the market, there is no standard wording or extent of cover and it is important for policyholders to properly understand the scope of their cover and more importantly its limits. It is recommended that policyholders review their cyber liability cover and consider if fines and penalties are covered “to the extent insurable by law” or, indeed, if they are expressly excluded.
How GDPR affects companies?
GDPR sets a high standard for consent, which will have a huge impact on the Organizations. Customers will need to be given choice and control over how their data is handled. To comply, you’ll need to know how the GDPR defines personal data, where it’s located in your business, how it’s used, who can access it, where it is shared and much more.
Considering the Stringent compliance & policies, and requirement of dedicated Data Protection Officers, most global firms will face challenges in-terms of increased compliance costs and restrictions.
Why GDPR is important?
The General Data Protection Regulation came into force in May 2018 and changing businesses view of personal data forever. It comes with huge financial penalties, potentially up to €20 million or 4% of annual global revenue, – something no one can take lightly. Whilst the predecessor to the UK’s Data Protection Act (2018) lack bite, this certainly isn’t the case with GDPR.
The General Data Protection Regulation (GDPR) applies to all companies based in the EU and those with EU citizens as customers. It has an extraterritorial effect, so non-EU countries are also affected. The GDPR affects ANY business, that collects, processes, stores, and uses data from people residing in the European Economic Area (EEA). It affects you whether your organization has EEA headquarters or not, or if the processing itself takes place in or outside of the EEA. This means that whether you have European headquarters, or if you are only a firm with offices or customers in Europe, or you deal with EU citizen’s personal data; you need to adopt new practices to ensure full compliance with this regulation.
Why GDPR is good for business?
Data is the new gold and the GDPR is shifting the market and the way businesses operate into a data-driven model rather than the earlier approach of Application Driven methods. Only a data-centric approach (vs application-centric approach) can result in a number of key benefits in longer term, for the firm at an enterprise level. We see benefits in the areas of data security, customer centricity, data localization and indexing, Brand value increase, increased client trust and precision data handling.
- Increased Security with GDPR compliance regulations, will not only save you from GDPR penalties, but also from Legal issues and brand loss.
- Following the Data centric approach, clients now will move forward to a centralize system instead of distributed datasets. Such Centralize system is a base of robust framework which is able to identify where all the sensitive data is located within an organisation–even if it comes from multiple systems, segregating the sensitive data from general information, enhancing Access controls and Security.
- Now End Customer will be the King and will always be given more priority than tools and technologies. Such concentration will keep the clients and users happy and will ultimately enhance client-provider trust and results in better customer experience.
- The modern data-centric approach should leverage Machine Learning & Artificial Intelligence technologies to integrate full content of all data sets, structured and unstructured, establish relationships between the data sets, annotate it with metadata and make it instantaneously searchable, at less cost. Same can be used to establish patterns, trends, and predict the future, empowering the organisation to innovate and launch new products.
- Rightly said – “Necessity is the mother of Invention”. Implementing GDPR compliance (intimations of information collection, right to forgot, right to data portability, right to object etc) is the real pain. Companies which were running away from automation and implementation of the latest releases; must find an easy-to-implement and easy-to-operate automated way to become complaint. It will change the complete architecture and process – How data is handled and maintained. Once the process is established and automated, it will benefit the organization in longer terms.
Why GDPR is bad?
Many companies seem to be struggling with becoming GDPR-compliant in a timely and effective manner. Rules of GDPR are very stringent and complying with same is quite challenging in itself. GDPR is not a “set-it-and-forget-it” law – it requires continuous diligence and assessment.
Restricting data access became challenge for Security agencies too. Many cybersecurity professionals say that restricting the access made it harder to investigate cyber crimes. For example, due to GDPR, police no longer have access to the information needed to track down owners of internet resources, such as websites.
It is harder to identify the data collected previously, limiting the data location and information on what data has been shared with partners/vendors in past.
Organizations with over 250 permanent employees or those with “core activities” that consist of regular and systematic monitoring of data subjects will need to appoint a permanent and appropriately qualified Data Protection Officer for a minimum of two years; which is again an additional expense for companies.
GDPR for India / Is GDPR applicable in India?
Indian companies and individuals who deals with European Inhabitants and store/process/share their data, falls under GDPR boundaries. All these companies and individuals must abide by GDPR law and follow the guidelines of same.
On the other hands GDPR do not protect Indian citizens. It only takes care of rights of EU residents. For Indian citizens there is no privacy law as of May 2020. Similar to GDPR, Personal Data Protection Bill 2019 for India is under discussion and likely to get approved in 2020 to become an act. PDPA will be protecting the Indian citizens on the same ground.
Will GDPR apply after Brexit?
The UK has until 31 December 2020 to negotiate its future relationship with the European Union. During the transition period, EU laws, including the EU GDPR (General Data Protection Regulation) will continue to apply in the UK. UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018. Both laws continue to apply until the end of the transition period on 31 December 2020.
The EU GDPR will no longer apply directly in the UK at the end of the transition period. However, it’ll have an indirect impact. The General Data Protection
Regulation applies to all companies based in the EU and those with EU citizens as customers. It has an extraterritorial effect, so non-EU countries are also affected. Even though the UK is leaving the EU, the UK will still need to comply with the GDPR. One reason for this is the cross-over period between the GDPR coming into force and the UK exiting the EU. The UK will need to comply with the Regulation while it is still a part of the EU. Another reason is the extraterritorial reach of the GDPR. UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid violations.
Will GDPR come to US?
United states origin companies like Facebook, Google, WhatsApp, Microsoft etc and professionals who deals with European Inhabitants and store/process/share their data, falls under GDPR boundaries. All these companies and individuals must abide by GDPR law and follow the guidelines of same. On the other hand, GDPR do not protect United States citizens. It only takes care of rights of EU residents.
As organizations like Facebook leak more and more of our personal data, which people have used in various illegal activities, U.S. citizens started demanding for privacy protections, like those enjoyed by our European citizens. So far (as on May 2020), only one state, California, has responded by passing their California Consumer Privacy Act (CCPA), which is in effect now. Though it is not as stringent as GDPR, yet it covers all major points related to Personal data Protection. The same senator who passed CCPA in California has proposed a Federal Consumer Data Privacy Act (CDPA) bill. But a federal bill (covering all united states) on Data Privacy, seems a long way to go.
GDPR where to complain?
Data subjects can file complaints with the courts of the EU member state where they reside, where they work, or where the alleged infringement occurred.
If you think your data protection rights have been breached, you have three options:
- lodge a complaint with your national Data Protection Authority (DPA): The authority investigates and informs you of the progress or outcome of your complaint within 3 months.
- take legal action against the company or organisation: File an action directly in court against a company/organisation if you believe that it has violated your data protection rights. This does not stop you lodging a complaint with the national DPA if you so wish.
- take legal action against the DPA: If you believe that the DPA has not handled your complaint correctly or if you aren’t satisfied with its reply or if it doesn’t inform you with regard to the progress or outcome within 3 months from the day you lodged your complaint, you can bring an action directly before a court against the DPA.
The EDPS (European Data Protection Supervisor) is the EU’s independent data protection authority. They make sure that that the fundamental right to the protection of personal information is respected by the EU institutions, bodies and agencies (EU institutions). Complaints to EDPS can be filed at below link:
GDPR pdf can be downloaded from here.
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.