Econsultancy (New York) recently held its first live event on this topic with Alan Chapell – here are some of the key takeaways from the session:
Takeaway #1: All data is personal data
That means that even cached data falls under the umbrella of GDPR, and you are subject to the GDPR if you are operating in the EU, in any capacity.
Takeaway #2: Everyone has a role to play
Gone are the days of unencrypted transfers of sensitive data. Each person in the digital ecosystem has a responsibility, to one degree or another, to protect the personal data of customers that they come into contact with.
While levels of responsibility will vary depending on seniority and the quantity of personal data passing through a given employee’s hands, marketers and legal professionals anywhere would be wise not to become complacent. Fines for malfeasance can be hefty (up to €20 million, or 4 percent of annual turnover). It’s up to every employee to apprise him or herself of the rules.
Takeaway #3: There is confusion over who’s a data controller, and who’s a data processor
In the words of the Regulation, “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
A processor, then, is any company that takes its direction from a controller and processes data. But what does that mean?
Company XYZ may sell a digital product to consumers, but contract a third party to track users’ engagement; in this example, the seller is the data controller (deciding which data to track and obtaining consent from consumers), while the third party is the data processor.
Takeaway #4: You are your partner’s keeper
You may be responsible for data you use that was collected by a partner who didn’t follow the rules, so choose wisely.
This dovetails neatly into takeaway #3; companies that may think of themselves as controllers in certain situations, and vice versa, may be mistaken about the true nature of their role in the data handling process, potentially leading to trouble with regulators.
Takeaway #5: There is “no such thing as full GDPR compliance”
There are a number of ambiguities in the regulation that make “full compliance” a chimera. Feel free to roll your eyes when processors or controllers tell you they are in full compliance. It’s difficult to define.
Join our webinar
Find your way around the new regulations by getting your questions answered during our live Q&A. Submit questions here, and we’ll do our best to answer them during the session.
The webinar will be hosted by:
- Stefan Tornquist, VP Research at Econsultancy
- Alan Chapell, Lead Attorney and President at Chapell Associates.
Our experts will offer you a unique opportunity to discuss your concerns or challenges around GDPR and get concrete, expert and applicable advice immediately.