The ABCs of GDPR

There is no shortage of blogs, podcasts, articles or opinions about the GDPR and how it is likely to be interpreted when it comes into effect in 2018. The following defines some of the key verbiage commonly used in GDPR discussions.

Consent: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In general, if you initiated the collection of personal data either directly or indirectly, then your organization is the ‘controller’ and liable under GDPR.  Running a website, collecting customer data for a marketing campaign, interacting with your customers in a structured way, providing downloads in exchange for registration – all of these would be examples of your organization collecting data and acting as a ‘controller’. 

Personal data: Any information relating to an identified or identifiable natural person (‘data subject’): an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  If you are a ‘controller’ or ‘processor’ of personal data in an EU country, GDPR will apply to you for any data subject, regardless of their physical location.  If you are a ‘controller’ or ‘processor’ anywhere in the world and you process personal data of a data subject that is a resident in the EU, then GDPR will apply to you. There is no distinction between Business to Consumer (B2C) and Business to Business (B2B) personal data in this respect.

Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  That will cover all IT systems that contain personal data, regardless of whether those systems are on your own site, in a cloud or provided by a processor.

Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. If you provide a service or system for your clients that has their customers’ personal data contained in it, then you are a processor and are subject to the law. Examples of this are a market research, marketing agency or a third-party service provider handling customer data on a company’s behalf. A controller will want to work closely with a processor (and may demand not only good GDPR compliance documentation but also liability responsibilities) to ensure they and the processor are compliant with GDPR. The personal data the processor has about their client contacts makes them the ‘controller’ of that data.

Profiling: Any form of automated processing of personal data consisting of the use of personal data relating to a natural person, in particular to analyse or predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.  If you are using any sort of rules like machine learning, advanced analytics or AI in any of your IT systems and if those use personal data, then there is profiling being performed.

Recipient: A natural or legal person, public authority, agency or another body, to which the personal data is disclosed.

Regulation: A legal act of the European Union which, on enactment becomes enforceable as law in all member states simultaneously. This is from May 25th, 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable.  So this is a law that could affect you. Whether your organization is affected by this regulation depends on whether you process ‘personal data’.

Restriction of Processing: The marking of stored personal data with the aim of limiting their processing in the future.  This is a fundamental tenet of the new regulation where you should only collect and use personal data when it is absolutely needed.

Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. There are exceptions in Article 9, but in general it is prohibited to process such data. Since it was not forbidden in the past, you may have inadvertently collected and be using such data.

And from Impexium…We’re here to help. At Impexium, we started to think about how GDPR would be measured and tested in early 2017. Since then, we’ve been working on becoming GDPR ready. And today, our industry-leading Association Management Solution (AMS) powers the association industry’s most forward-thinking and innovative organizations. We look forward to working together to make your organization’s GDPR journey a successful one.