CBI Scene Blog

GDPR's Impact on Consent Management and Data Privacy

Posted by Evanna Payen on Apr 2, 2018 10:13:30 AM

To say that global reporting requirements are constantly changing is something of an understatement, particularly as new markets around the world continue to emerge. As a result, many industry professionals are concerned about their own ability to keep up with and be aware of all new compliance requirements around the world - even if their businesses are based primarily within the United States.

One new piece of legislation that brings with it significant implications in terms of global reporting requirements is the GDPR, which goes into effect on May 25, 2018.

What is the GDPR? Breaking It Down

Also referred to as the General Data Protection Regulation, the GDPR is a new regulation that requires all businesses to proactively protect both the personal data and privacy of all European Union citizens for transactions that take place within any country that is a member of the EU. It is essentially seen as a replacement for the Data Protection Directive, which itself first debuted back in 1995.

The GDPR itself requires the protection of a wide range of different types of data, including those like:

  • Any basic identity information including a person's name, their address and any relevant ID numbers
  • Standard web browsing data like location information, someone's IP address, information obtained from RFID tags and even cookie data
  • Biometric information
  • Health data
  • Genetic data
  • Political opinions
  • Information about someone's race, their ethnicity or sexual orientation

Essentially, the GDPR puts the burden of compliance on a few key roles within an organization: data controllers, data processors and a DPO or "data protection officer." A data controller is defined as any organization that owns the customer data in question, while a data processor is any outside organization like a vendor that helps to manage that data in some way.

The key thing to understand is that EVERYONE in the data chain must be in compliance or nobody is. If a third party vendor is not in compliance with the GDPR but you've taken internal steps to stay up-to-date and within the rules, this still means that your organization is technically not compliant. It is also your responsibility to inform all customers of their new rights once the GDPR goes into effect. Keep in mind that the maximum penalty for non-compliance with the GDPR is €20 million or 4% of your company's global annual turnover - whichever is higher.

If you'd like to find out more information about the GDPR's impact on issues like consent management and data privacy, or if you'd like to leverage a unique opportunity to examine the latest trends, challenges and solutions for successfully navigating these and other topics to your advantage, don't delay - be sure to register for CBI's Inaugural U.S.-based Congress on Global Transparency Reporting today. The event will take place May 22-23, 2018 in Philadelphia, PA.



Topics: Compliance