Your Guide to the GDPR: A Comprehensive FAQ

gdpr faqSo you’ve heard the news—the General Data Protection Regulation—or GDPR—goes into effect on May 25th, 2018. But, what does GDPR really mean for you, your business, and your customers? If you’re still not sure, today’s blog post is for you.

Keep reading as we break down some of the biggest questions surrounding GDPR and give you important pointers about GDPR compliance.

Question One: What is GDPR?

In a nutshell, the goal of GDPR is to give EU citizens more control over their personal data. Currently, the Data Protection Act of 1998 governs personal data in the UK. However, the EU recognized a need for stronger fines for non-compliance and more control over companies and how they use personal data.

Question Two: Why is GDPR happening?

Almost all modern businesses collect and analyze personal data. Think about how many web forms you’ve filled out in your lifetime—first name, last name, email address, home address, employer, credit card information.

To say the amount of data created each day is growing rapidly would be a massive understatement. In fact, 90% of the data that exists in the world today was created in the last two years alone. And—the current global output of data is roughly 2.5 quintillion bytes a day. As technology advances and we become more and more connected, these numbers will undoubtedly expand (source).

Current legislation is no longer enough to protect and govern personal data. In fact, it only protects names, addresses, and photos. In an effort to bring legislation up to speed with the current state of technology, GDPR will extend protection to cover a much wider array of personal data.

Question Three: Okay, so what types of data does GDPR consider ‘personal data’?

The official definition of personal data as it pertains to GDPR, reads as follows:

Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

As such, GDPR protects personal data like IP addresses, genetic information, and biometric data like fingerprints and facial recognition data.

Question Four: Who doesGDPR impact?

GDPR applies to any company, inside or outside the EU, that offers goods or services to customers within the EU. This means, nearly all major companies across the globe must plan for GDPR compliance or risk the penalties. It’s important to note that a financial transaction does not need to take place for GDPR to apply.

Another important aspect of GDPR is the concept of data controller vs. data processor. Here’s what this means:

Data Controller: A person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.

Data Processor: A person, public authority, agency, or other body which processes personal data on behalf of the controller.

Now, in English:

Data Controller: A controller is an individual who controls and is responsible for collecting and using personal data. Being a data controller comes with serious legal responsibilities, so it’s important that you understand whether these regulations apply to you as an individual or to your company as a whole. If you’re not sure, we recommend that you consult with a legal advisor or seek the advice of the Data Protection Commissioner.

Data Processor: A processor is a person or company who holds or processes personal data, but does not have responsibility for or control over it. Examples of data processors include payroll companies or accountants.

This distinction is important for a few reasons. Under GDPR, a controller holds most of the liability should their organization experience a breach. The processor’s main responsibility, however, is making sure that any controllers they work with are GDPR compliant.

For more information about data processors and controllers, check out the official GDPR website.

Question Five: What does it mean to be GDPR compliant?

In order for a company to be GDPR compliant they must abide by these main principles:

  • Data must be processed lawfully, fairly, and in a transparent manner
  • Data can only be collected for specified, explicit, and legitimate purposes
  • The scope of the data must be adequate, relevant, and limited to what is necessary
  • It must be accurate and kept up to date
  • Data can only be held for the absolute time necessary and no longer
  • Data must be processed in a manner that ensures appropriate security of the personal data

We recommend that you invest in compliance training and legal expertise if your business falls under GDPR. This will leave little room for error and will provide you with the tools you need to protect yourself and your customers.

Question Six: What happens if I’m not GDPR compliant?

Companies who fail to comply with GDPR face complex administrative procedures and serious fines. These take form in a two-tiered system—meaning that the more serious the infraction, the more serious the consequence.

The maximum fine is 4% of a company’s annual global turnover or 20 million euros, whichever is highest. The lower tier of violations can result in a maximum of 2% of their annual global turnover or 10 million euros.

Question Seven: When does GDPR officially go into effect?

GDPR goes into effect on May 25th, 2018.  At this time, any companies that do not provide the required level of data protection will receive a fine.

Question Eight: What does GDPR mean for my customers?

The goal of GDPR is to better protect the personal information of citizens and consumers. As such, your EU customers have eight fundamental rights under the regulation. These are as follows (source):

The right to be informed. Organizations must be completely transparent in how they use personal data.

The right of access. Individuals will have the right to know exactly what information is held about them and how it is processed.

The right of rectification. Individuals will be entitled to have personal data rectified if it’s inaccurate or incomplete.

The right of erasure. Also known as “the right to be forgotten,” this refers to an individual’s right to have their personal data deleted or removed without the need for a specific reason.

The right to restrict processing. Refers to an individual’s right to block or suppress processing of their personal data.

The right to data portability. This allows individuals to retain and reuse their personal data for their own purpose.

The right to object. In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

Rights of automated decision making and profiling. The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

Question Nine: What does GDPR mean for ZoomInfo and Its customers?

Along with all other companies impacted by this regulation, ZoomInfo will be GDPR compliant by May 25th. This means our B2B contact database will satisfy personal data privacy requirements put in place by GDPR. Similarly, ZoomInfo recommends that customers and partners who use, control, or process the personal data of persons within the EU and other European countries prepare for the GDPR.

To make it easier for our customers and partners to comply with the GDPR, ZoomInfo now offers the option to select a default data set, which excludes contact information for individuals identified as EU residents. This functionality presents ZoomInfo users with the ability to remain compliant while using our products.

For more information about ZoomInfo’s compliance with the GDPR or to access our GDPR compliant data, contact us today!