You may be seeing quite a bit of news about GDPR lately, some of it quite alarmist. We have had quite a few conversations with clients about the topic in recent months as they work through their company plans for compliance. While this may only seem to be a question for operations in Europe we think that it is helpful for all consumer care teams to understand the principles, as the question of consumer privacy rights is universal.
So - here is some background and perspective on GDPR, how it applies to consumer care, and how we at Wilke Global ensure that we are doing our part in our client compliance efforts.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) is a new law designed to unify data privacy laws across the EU. It modernizes and replaces the EU Data Protection Directive 95/46/EC and the local laws implementing the Directive. The GDPR will become effective on May 25, 2018. It imposes a variety of requirements on organizations that collect or process personal data, including requirements related to transparency, processing limitations, minimizing collection, ensuring accuracy, limiting storage, breach notification, and ensuring security, integrity, and confidentiality.
What is the impact of the GDPR?
The GDPR creates a more comprehensive regulatory framework for data controllers and processors. Wilke Global clients, who determine the purposes and means of processing, are usually the data controllers for the personal data that they collect, use, transfer, or otherwise process. Wilke Global acts as the data processor for its clients and processes personal data on behalf of its clients during the provision of its services. The GDPR creates specific legal obligations for controllers and processors.
Wilke Global’s clients are generally responsible for ensuring that personal data is processed using a valid legal basis and in compliance with the law. The GDPR also requires increased record keeping, documentation, policies, and procedures relating to those legal obligations. Brands need to comply with new data subject rights under the GDPR as well, such as those relating to notice, access, correction, and the right to be forgotten. The GDPR also requires greater transparency, so we recommend reviewing internal documents to ensure that data subjects are provided with fair notice of data usage, transfers, monitoring or recording. Additionally, data protection impact assessments may need to be conducted and appoint a Data Protection Officer could be required. International data transfers relating to the personal data companies control should be reviewed to ensure they are adequate under the GDPR.
The data processor, on the other hand, is mainly responsible for assisting the controller and complying with its instructions found in its contracts.
How does the GDPR impact Wilke Global services?
Some provisions of the GDPR now directly apply to data processors such as Wilke Global. The law requires data processors to process data only in accordance with client instructions, use appropriate technical and organizational measures to protect personal data, and assist with data subject access, correction, and objection requests. The law also requires us to maintain records of our processing activities, assist with your GDPR record keeping, notify in the event of a data breach, and appoint a Data Protection Officer, where required.
How does Wilke Global comply with the GDPR?
We also include our Standard Operating Procedures in our agreements with our customers. These documents help satisfy your obligation to instruct us to use appropriate technical and organizational security measures. We regularly review these procedures to update them from time to time.
Who can I contact for additional information?
You may read more about the GDPR from the UK Information Commissioner’s Office here. You may find additional guidance directly from other European Data Protection Authorities here. You may also read more about impacts of the GDPR from the International Association of Privacy Professionals here. If you have specific questions about how the GDPR impacts your organization’s privacy and data protection compliance, please be sure to check with your in-house compliance or legal department. For any remaining questions regarding Wilke Global and the GDPR, please contact your account manager.