You can find the full text of the new regulation here. You might also want to check out this excellent page from the Office for Personal Data Protection.
We should also point out straight away that we are not lawyers, although we work closely with them on GDPR matters. Our articles on the GDPR are mainly practical and written with common sense in mind. We realise this, but we wanted to ensure you fully understand the whole issue.
You will very often come across different interpretations. Unfortunately, some definitions in the regulation are somewhat vague and imprecise. In such cases, contact the authority directly and ask them straight out how they see it. After all, it is the supervisory authority that would impose any penalties.
The key is, above all, to handle data transparently and in such a way that users realise they should protect their personal data. However, despite all our best efforts, we tend to take the handling of our own data lightly. That is why the responsibility to protect data now lies with data controllers. It may be a little unfair, but look at it from the perspective of the data subject – perhaps your 16-year-old daughter.
This brings us to the terminology. You cannot do without knowledge of these terms.
Personal data
This is any data that can be used to identify a specific individual. According to the regulation, you must take into account all possibilities that can be legally utilised. If you can legally obtain additional information that leads to the identification of a specific individual, that data is personal data.
Take a phone number, for example: a mobile number on its own doesn’t tell you anything, does it? But you can Google the number, and Google will most likely know the owner’s name.
So personal data includes photographs, first and last names, dates of birth, numbers, email addresses, IP addresses and a whole range of other data. In a male-dominated workforce, gender is also personal data, particularly if you are the only woman in the company.
Sensitive data
This category of data is now referred to as a special category of personal data. It includes information such as your religious beliefs, race, health status and so on. This is data that does not identify you as a person, but is important to you and could be misused against you, typically your religious beliefs, health status, political views and the like.
Data subject
A data subject is any natural person who provides you with data about themselves. For example, your daughter mentioned above, who entrusts Facebook with personal and often sensitive data.
All protection applies only to natural persons. Companies do not, strictly speaking, possess personal data. However, the GDPR applies to your employees in all circumstances.
Controller
The controller is the company to which you provide your data. The controller is always responsible for complying with all the requirements under the GDPR. And note: they are also responsible for the conduct of processors.
Processor
This is a third party that helps you with your data. For example, an agency that handles your PPC, or even the email marketing tool you use. The processor must comply with your security standards, which is why you should have a contract with them – the GDPR considers this standard practice.
Stricter conditions apply to sensitive data and children’s data. National laws will determine the age up to which you need parental consent; the range is 13–16 years. In the Czech Republic, this age limit is currently set at 15 years.
How customers view the GDPR
According to research by the British agency Hubspot, 81% of customers think the regulation is a good thing.
Customers are far more interested than ever before in what happens to their data. 91% want companies to be completely transparent, but only 52% want to see personalised content. Consider conducting a similar survey among your customers. You may find that honesty and simplicity are more important to them than tailored discounts.
What exactly will change?
If you’re complying with the law, not much at all. Small and medium-sized businesses can prepare for the GDPR in a matter of days. You can find information resources and various guides online. Corporations have a tougher time of it, but they also have an army of lawyers.
What do you need to prepare for?
There’s no point asking whether the GDPR applies to you – if you’ve ever issued an invoice, have employees, send a newsletter, or have a form on your website, then of course it applies to you. Ask yourself exactly how it applies to you.
You’ll find a detailed guide in the next article. For now, test your theoretical knowledge in the quiz here