New Year resolution #1: get familiar with GDPR…and comply

On 25th May 2018, a new data protection regulation will kick in. The new regulation is more precisely called (the very sexy catchy name) General Data Protection Regulation (GDPR). It might sound very technical and complex, but members of the European Youth Forum need to get familiar with the regulation and act in order to comply – if not then penalties can be significant.

The regulation repealed a former regulation from 1995! You will acknowledge that the way we deal with data has changed a lot since then. With the issue of privacy and data protection a very high concerns for citizens nowadays, the European Union and its Members States started negotiations in 2012 and adopted a new reform of data protection rules. In 2016 this resulted in an adopted Directive and Regulation on the issue. The latter is what really matters to the members of European Youth Forum. All member organisations (including ourselves) are processing some sort of data. No doubt.

GDPR is an EU regulation, which means it will have direct applicability and direct effect in the current 28 EU member states. However it is not only EU member states but also member states of the European Economic Area (EEA: EU & Liechtenstein, Iceland and Norway) that should be aware of the regulation.

Most European countries already have data protection laws that set the definition of what is data and how it should be processed. GDPR intends to make this easier and more coherent by having one regulation on data protection throughout the EU (and beyond).

Just for you to get the gist of what the GDPR is all about, we have picked three items in the vast regulation which should make you think: “Blimey, I need to get started!”

What is data?

One of the many things that GDPR is defining very broadly is the definition of data:

any information relating to an identified or identifiable natural person (‘data subject‘); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. (Article 4)

This means if you as an organisation in any way keeps and processes data of names and email addresses, then you need to make sure you comply with the regulation. You should pay even more attention if you have data for profiling purposes. This could for example be survey results that specify any other personal information such as gender, age, political opinions, sexual orientation, gender identity, sex characteristics, ethnicity, religion or disability. This is most likely going to be interpreted as sensitive data, and the penalties if you do not comply are even higher.

There are still lot of question marks about the definition of data. The best is to check with your national data regulators to make sure that you know exactly how data is being interpreted in your country.

It is also about how you behave

Finding out what data is, is one thing. Another is how you deal and behave with your data. This means that you need to look into any kind of systems you use, and how you are processing the data on a daily basis. There have been a lot of discussions about third party data processors like MailChimp or cloud based applications. Again, ask how your national data regulators interpret processing data.

Consent is the key

One key principle of the GDPR is active informed consent. All data needs to have a logged consent, and the consent needs to be opt-in and not a pre-ticked box hidden on your website.

But….oops, what about the mailing list for your organisational newsletter? Do you have an opt-in consent from ALL of the receivers? If not, then you should definitely wait before sending out your May newsletter until you have sorted this!

Consent also applies to other kind of data – such as the profiling data from survey results mentioned before. But there have also been discussions about images and video recordings, and whether you need to have active informed consent from all people recognisable in your photos and videos.

Again, again and again check with your national data regulators to make sure that you know exactly how it is being interpreted in your country.

The penalties

National data regulators have the authority to name and shame organisations that have not complied, and they can also impose fines and file criminal prosecutions. If you are reported to have made serious infringements, then the penalties are very heavy: 2% and 4% of total global annual turnover depending on the nature of the infringement, or €10 million (whichever is the higher). Ouch!

What should you do?

If you did not already receive any advice, then the best is to contact your national data regulators. They are responsible for the enforcement of the regulation in your country. This also means the wide definitions in the regulation will most likely be interpreted differently.

If you have access to legal advice in national data law/regulations, then that would obviously also be recommended. The three points mentioned above are just some of the most crucial items in the vast regulation.

Happy 2018!

Note! European Youth Forum has started the process of investigating how to comply in a Belgian context. It is taking a lot of our resources, and we can therefore not help with advice to individual organisations. It is a complex matter, which depends a lot of national context, organisational structure, systems and behaviour.