European GDPR compliance

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) is a new regulation that addresses the collection, use, processing and transfer of the personal data of European Union citizens.

It applies to all European Union member states and any entity that transfers the personal data outside of the European Union.

GDPR is a major concern for market research and insights organisations as:

  • Research is global.
  • Market research and insights organisations often collect personal data.
  • Personal data is often transferred by market research and insights organisations across international borders.

If your company collects personal data from European Union citizens, GDPR applies to you.

Essential steps to address

Below are some of the steps Cint has addressed. We suggest that any organisation interested in GDPR compliance, address these as well:

  • Build company awareness and obtain management support
  • Perform a Data Protection Impact Analysis (DPIA)
  • Appoint a Data Protection Officer (DPO)
  • Review and document the data you hold and process
  • Review and update the communication of privacy information (privacy policies or notices)
  • Address the rights of Data Subjects, including subject access requests
  • Review the legal basis for data processing
  • Address the requirements with respect to consent
  • Review the requirements with respect to children
  • Address data breach requirements
  • Address data protection by design
  • Identify an enforcement agency

Questions about the GDPR

As a global company whose day-to-day business deals with the collection and processing of personal data, data protection compliance, including GDPR is a focus for Cint and our clients and partners.

Here are some of the questions (with answers) that we’ve received from clients and partners

When does the regulation enter into force?
After four years of preparation and debate, the GDPR was approved by the EU Parliament on the 14th of April 2016 and entered into force on the 25th of May 2016. The enforcement date will be the 25th of May 2018 – at which time those organisations in non-compliance will face heavy fines.

What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. With a directive, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.

Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What is the difference between a data processor and data controller?
As EU Data Privacy Directive, the GDPR includes the concepts of a data controller and a data processor. A data controller is an entity that determines the purposes, conditions and means of the processing of personal data, while a data processor is an entity that processes personal data on behalf of the controller.

What constitutes personal data
Personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. Personal data can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, a device IP address or a mobile device ID.

What are the requirements with respect to concent?
The conditions for consent have been strengthened. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must also be as easy to withdraw consent as it is to give it.

What are the requirements with respect to data breaches?
Data breaches which may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay

What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

What is the impact on companies in the US?
GDPR applies to any US company that collects personal data from EU citizens and transfers it out of the EU. Important note for US companies that use the Privacy Shield Framework is that Privacy Shield only addresses the data transfer requirement. A US company, like any company in the EU, must comply with all the requirements of GDPR.

What about Brexit?
The UK Government has indicated it will implement an equivalent or alternative legal mechanisms (to GDPR). The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO (the Data Protection Officer in the UK) and UK Government as an effective privacy standard.