GDPR Webinar Q&A: The Unforeseen Consequences
In our recent phenomenally successful webinar—The Path to GDPR: Ask the Experts from Return Path—we received a load of questions from both the webinar sign-ups, as well as during the webinar itself. We were able to answer a couple during the webinar but we wanted to address the rest of the great questions we received in this blog series. In the first post, we responded to questions about consent and legitimate interest and in our second post, we answered questions about re-permissioning. In this final post, we respond to the remaining questions asked during the webinar.
But first—a quick disclaimer!
The materials appearing in this article do not constitute legal advice from Return Path, any of the associations we are members and or reference materials from, and are provided for general information purposes only. It is recommended that you contact your general or legal counsel.
Is a Data Protection Officer (DPO) required if you are based in the US?
If you are collecting data of EU citizens, yes. Article 37 of the regulation states that any controller or processor of data must appoint a DPO if their “core activities” require “regular and systematic monitoring of data subjects on a large scale.”
The GDPR will impact businesses across all industries and not only organizations with a physical presence in Europe. Even if you are based outside the EU but are processing the personal data of individuals in the EU in relation to offering goods/services, or monitoring the behavior of individuals in the EU, you are also subject to its requirements.
Smaller companies have the option of using a DPO in the form of a purchased service. One DPO can serve several organizations. At the larger end of the scale, a dedicated in-house DPO is the only way to go. In this case, the DPO should be a C-level management position.
Is the DPO role certification required
No. Under the GDPR, a DPO can be described as the individual or entity “responsible for all things data protection in an organization”. He/she will be the first point of contact for data protection issues in the workplace. The DPO role is a key advisory role, providing the needed guidance on the identification of and management of risks privacy risks. The regulation itself doesn’t define qualifications for the DPO other than “expert knowledge of data protection law and practices.” In practical terms, the ideal DPO would have the necessary legal knowledge as well as a deep enough understanding of your business practices and IT systems to guide you through the compliance process.
Can we still target ads to people based on their location/address of a company?
Yes, but this will still require permission. Please make sure you understand that location can be an identifier.
Furthermore, the analysis of an individual’s location data can reveal highly sensitive information. sensitive personal data is the term that’s used with GDPR to describe information that needs special protection. It includes data revealing a person’s ethnicity; political, religious or philosophical beliefs; and data concerning health or sexual orientation.
Data on places a person visits can contain information on sensitive traits. For example, frequent visits to a church, a hospital, or a trade union can give away information that is not intended to be shared. The intimate nature of these personal details adds to the importance of effective anonymization.
This dimension of location data got into the public eye in early 2018, when Strava’s global heat map revealed the location of military bases in remote locations. The fitness app’s map visualized running trails of athletes all over the world—including soldiers—and made US bases clearly identifiable.
What effect will GDPR have on the use of public WHOIS records?
Currently, when someone registers a domain name their personal data is published on the internet under the Whois service—including their name, email, phone number, and physical address—unless they pay extra for a proxy privacy service.
That approach is illegal under GDPR.
Internet Corporation For Assigned Names and Numbers (ICANN) scrambled, asking registrars and registries to send it their ideas on how to change the system, and then put out a document with no less than 12 different proposed models, ICANN’s staff published their own proposal less than two weeks before a critical meeting… and was promptly slammed by the government for failing to stick to its own core values by trying to give governments the sole right to decide a critical component of the new system.
ICANN engaged with the Article 29 working party. The feedback received was, in some ways, predictable. The working party applauded ICANN for proposing an interim model which included an accreditation program for access to non-public WHOIS information; however, the group indicated the purposes for collection of personal data was not sufficiently detailed, and it urged “ICANN to revisit its current definition of “purposes” in light of these requirements.” It also stressed to ICANN the need to link each specific purpose of the collection of data to a relevant legal basis.
The WHOIS system, as it has been known for two decades, will cease to exist. Unfettered access to registration information for Generic top-level domains (gTLDs)—the core group of generic top-level domains consists of the com, info, net, and org domains—is simply not going to be possible going forward after May 25th. Yes, there are still questions as to what the final model ICANN puts forth will be, but it will certainly drastically change how WHOIS will function.
We are a small ESP from Argentina, with a few clients in Spain. I’d like to know about the GDPR implications for our business. What would you recommend to do before May 25th?
The regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.
The Argentina Personal Data Protection Act has been Argentina’s data protection law since 2000. The country is, however, moving away from this law, and has already drafted a new data protection bill. The reason for this new bill is to bring Argentinian data protection law in line with the General Data Protection Regulation (GDPR).
The current law has various areas that it covers differently from the GDPR. One such area is the definition of data subjects. It includes juristic persons or organizations in its definition of data subjects, whereas the GDPR doesn’t. In this way, the law is similar to the Protection of Personal Information Act (POPIA.)
The updated proposed bill improves on several existing definitions in the current law to include issues like biometric and genetic data, mirroring the updates included in the GDPR. Moreover, the proposed bill introduces new ways to determine whether an entity or certain data processing is subject to Argentine law, quite similar to the criteria found in the GDPR. Also, following this trend of adjusting the regulation to the European standards, the proposed bill introduces new legal basis, besides consent, to allow data processing. In particular, the “legitimate interest” basis, which was absent from the original Argentine data protection regulation.
Among other changes, the draft bill makes an overhaul of the current section dealing with international transfers, introducing sections on child consent, data breaches, accountability, privacy by design, the duty to have a data protection officer, and mandatory impact studies. All these topics follow closely their European counterparts in the GDPR.
What about B2B? Does GDPR apply to that area too? Is opt-in becoming the norm for B2B too?
The ICO has published some important guidance on this topic:
The GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (eg firstname.lastname@example.org), the GDPR will apply.
There is a useful article here on this topic.
If you are looking for more information about GDPR you can some great content in the GDPR category of our blog or watch our recent webinar. If you have questions of your own, feel free to leave it in the comment section below.
About Dennis Dayman
Dennis Dayman has more than 20 years of experience combating spam, security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations and technical solutions. As Return Path’s chief privacy and security officer, Dayman leverages his experience and key relationships to provide best practices to Return Path, its customers, and ensures the compliance of their communications data flows. He is also responsible for coordinating and managing Return Path’s international electronic commerce, privacy and Internet related policy issues.
About Guy Hanson
Guy is a passionate advocate for intelligent use of customer data to drive responsive email programs. With a knowledge base that now spans nearly 15 years, he is a global e-mail expert and thought leader. Leading Return Path’s International Professional Services consulting team, Guy has worked with a broad range of clients across 5 continents to improve their email delivery, subscriber engagement and revenue generated. Outside of work, Guy is the Chairman of the DMA Email Council. In this role, he works with industry peers including brands, agencies, and service providers to promote the best interests of the email industry to a broader audience. He is also a regular contributor to the industry press.