Opinion piece by Ana Perez, Senior Communication Manager, COFACE Families Europe
The new General Data Protection Regulation (GDPR), the furthest reaching legislation ever on the use of data, is about to become a reality on May 25 2018. The GDPR is a new legal framework that is set to change the way organisations and companies collect, process and protect the personal data of EU citizens. One of the objectives of the GDPR is to make companies (including non-profit organisations like COFACE Families Europe and its members) understand that the personal data they handle belongs to each and every person concerned, and not to the company.
Data Protection regulation has been part of EU legislation already since 1995, but it is only during the last few years that it has become a hot topic. Why now? Many reasons can explain this, but one of them is clearly the exponential rise of the data mining capabilities developed by large companies, which can rely on an ever growing network of smartphones and devices to collect the personal data of their users. Now in 2018, can we still pretend we can control our personal information? Isn’t it too late already?
You have certainly seen plenty of articles with pieces of advice and long check-lists informing you how to be compliant with the new Regulation. One may easily feel overwhelmed or discouraged by all the information but after all, the GDPR is an evolution, not a revolution. The previous data protection laws already required that data should be processed fairly and lawfully so, in theory, our organisations “shouldn’t have much more to do”.
Hopefully, this GDPR awareness will increase gradually through all sectors of society, and organisations practicing a higher ethical approach and transparency will have more chances to win the trust of present and potential partners. In view of the new requirements, all organisations dealing with personal data of EU citizens will need to update their own data protection procedures. Responding to these requirements can be complicated or feasible, depending on the size and structure of the organisations and how data was previously treated. Let’s check together if you have implemented the following six steps:
1-To create awareness and a team: The GDPR will impact all areas of an organisation. All staff is concerned, and implementing all the changes must be a team effort.
2-To document the current situation: All organisations should identify and document the activities of the organisation which require the use of personal data.
3-To make a plan: All organisations should document how they are conducting the internal data audit and describe their vision on privacy and data protection, develop a strategy and explain the choices made.
4-To develop processes and templates: All organisations should start by reviewing the current privacy notices and consent boxes, and make the necessary changes and updates. New guidelines include consent requests separated from other terms and conditions, active opt-ins, information about the data collection and the right to withdraw one’s consent.
5-To assess and plan the security: All organisations must review all security policies. Responsibility for GDPR compliance goes from the organisation itself, to the different suppliers processing data. It is also crucial to anticipate adequate procedures in order to detect, report and investigate data breaches.
6-To start implementation: After the internal data audit, it is necessary to figure out whether or not the organisation has the adequate consent of all contacts. GDPR compliance will require a database strategy, and creating a valid reason for opt-in is unavoidable. The opt-in message must include links to the privacy and cookie policies as well as an unsubscribe link.
As you see, getting GDPR compliance takes time and it is not a simple matter. Getting prepared for the new regulation may be a complex and challenging process. COFACE Families Europe uses personal data for the implementation of its different activities such as communication campaigns, news dissemination, website monitoring, expert meetings, conferences and other events. Personally, I wonder if and how the organisation of European meetings and conferences will be impacted in a post GDPR era.
Event organisers deal with big amounts of personal data collected from many different sources. How are they using participants’ personal data? Some persons may feel powerless as they do not know what happens with their personal information given in a registration form, for example. Event organisers need to care much more about participants’ personal data and communicate with them in a more transparent way, in order to establish a relationship based on trust.
But in today’s digital environment, compliance with the law is not enough, there is also an ethical dimension of data processing to be considered, as the new Regulation also concerns the use of data profiling and the use of personal data to make predictions about a person’s economic status, location, health and preferences without consent. The evolution of digital technologies has brought about a paradigm shift in almost all aspects of our daily lives; this evolution raises ethical questions and complex dilemmas. But this is another debate, which COFACE Families Europe is following closely, assessing the impact on digital families.
If you are interested in digital ethics, please note that the European Commission has just launched a public consultation on this topic (open from 15 May to 15 July). If you want to participate in the consultation click here.
For more information about this piece: firstname.lastname@example.org
**DISCLAIMER: All opinions in this article reflect the views of the author, not of COFACE Families Europe**
Photo credit: Business image created by Creativeart – Freepik.com