General Data Protection Regulation
• The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.
• Superseding the Data Protection Directive the regulation contains provisions and requirements pertaining to the processing of personal data of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to an enterprise established in the EU or—regardless of its location and the data subjects' citizenship—that is processing the personal data of people inside the EU. Controllers of personal data must put in place appropriate technical and organisational measures to implement the data protection principles.
• Within the GDPR there is a distinct difference between business to consumer (B2C) and business to business (B2B) marketing. Under the GDPR, there are six equally valid grounds to process personal data. There are two of these which are relevant to direct B2B marketing, they are consent or legitimate interest. Recital of the GDPR states that "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."Using legitimate interest as the basis for B2B marketing involves ensuring key conditions are met:
"The processing must relate to the legitimate interests of your business or a specified third party, providing that the interests or fundamental rights of the data subject do not override the business' legitimate interest."
"The processing must be necessary to achieve the legitimate interests of the organisation."
Responsibility and accountability
• To be able to demonstrate compliance with the GDPR, the data controller must implement measures which meet the principles of data protection by design and by default. Data protection by design and by default (Article 25) require data protection measures to be designed into the development of business processes for products and services. Such measures include pseudonymising personal data, by the controller, as soon as possible (Recital 78). It is the responsibility and the liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller
Records of processing activities
• Records of processing activities must be maintained that include purposes of the processing, categories involved and envisaged time limits. The records must be made available to the supervisory authority on request .Data protection by design
Data protection by design
• Data protection by design requires data protection to be designed into the development of business processes for products and services. Privacy settings must therefore be set at a high level by design, and technical and procedural measures should be taken by the controller to make sure that the processing, throughout the whole processing life cycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data is not processed unless necessary for each specific purpose. Data protection by design
Right of access
• The right of access is a data subject.It gives citizens the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed as well as a copy of the actual data. Furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing, with whom the data is shared,and how it acquired the data.
• A data subject must be able to transfer personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Data that has been sufficiently anonymised is excluded, but data that has been only de-identified but remains possible to link to the individual in question, such as by providing the relevant identifier, is not. In practice however providing such identifiers can be challenging, such as in the case of Apple's Siri, where voice and transcript data is stored with a personal identifier which the manufacturer restricts access to, or in online behavioural targeting, which relies heavily on device fingerprints that can be challenging to capture, send and verify.
Data protection officer
• If processing is carried out by a public authority (except for courts or independent judicial authorities when acting in their judicial capacity), or if processing operations involve regular and systematic monitoring of data subjects on a large scale, or if processing on a large scale of special categories of data and personal data relating to criminal convictions and offences (Articles 9 and Article 10,) a data protection officer (DPO)—a person with expert knowledge of data protection law and practices—must be designated to assist the controller or processor in monitoring their internal compliance with the Regulation.
• A designated DPO can be a current member of staff of a controller or processor, or the role can be outsourced to an external person or agency through a service contract. In any case, the processing body must make sure that there is no conflict of interest in other roles or interests that a DPO may hold. The contact details for the DPO must be published by the processing organisation (for example, in a privacy notice) and registered with the supervisory authority.
• Lawful interception, national security, military, police, justice
• Statistical and scientific analysis
• Processing of personal data by a natural person in the course of a purely personal or household activity
Conversely, an entity or more precisely an "enterprise" has to be engaged in "economic activity" to be covered by the GDPR.Economic activity is defined broadly under European Union competition law.