Your Guide to the GDPR: A Comprehensive FAQ

So you’ve heard the news — the General Data Protection Regulation — or GDPR — went into effect in May 2018.

But, what does GDPR really mean for you, your business, and your customers? If you’re still not sure, today’s blog post is for you.

Keep reading as we break down some of the biggest questions surrounding GDPR and give you important pointers about GDPR compliance.

1. What is GDPR?

In a nutshell, the goal of GDPR is to give EU citizens more control over their personal data. 

The Data Protection Act of 1998 governs personal data in the UK. However, the EU recognized a need for stronger fines for non-compliance and more control over companies and how they use personal data.

Twenty years later, GDPR’s passing highlights how lawfulness, fairness, transparency, purpose, minimization, accuracy, storage, integrity, confidentiality, and accountability are handled with personal data.

2. Why Did GDPR Pass?

Almost all modern businesses collect and analyze personal data. Think about how many web forms you’ve filled out in your lifetime — first name, last name, email address, home address, employer, credit card information.

To say the amount of data created each day is growing rapidly would be a massive understatement. In fact, there are 40 times more bytes in the digital universe than there are stars in the observable universe. As technology advances and we become more and more connected, these numbers will undoubtedly expand.

Decades-old legislation is no longer enough to protect and govern personal data. It only protects names, addresses, and photos. In an effort to bring legislation up to speed with the current state of technology, GDPR extends protection to cover a much wider array of personal data.

3. Okay, So What Types of Data Does GDPR Consider “Personal Data?”

The official definition of personal data as it pertains to GDPR, reads as follows:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

As such, GDPR protects personal data like IP addresses, genetic information, and biometric data like fingerprints and facial recognition data.

4. Who Does GDPR Impact?

GDPR applies to any company, inside or outside the EU, that offers goods or services to customers within the EU. This means, nearly all major companies across the globe must have a solid plan for GDPR compliance or risk the penalties. 

It’s important to note that a financial transaction does not need to take place for GDPR to apply.

Another important aspect of GDPR is the concept of data controller vs. data processor. Here’s what this means:

Data Controller: “A person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.”

Data Processor:A person, public authority, agency, or other body which processes personal data on behalf of the controller.”

Now, in English:

Data Controller: An individual who controls and is responsible for collecting and using personal data. Being a data controller comes with serious legal responsibilities, so it’s important that you understand whether these regulations apply to you as an individual or to your company as a whole. 

If you’re not sure, we recommend that you consult with a legal advisor or seek the advice of the Data Protection Commissioner.

Data Processor: A person or company who holds or processes personal data, but does not have responsibility for or control over it. Examples of data processors include payroll companies or accountants.

This distinction is important for a few reasons: Under GDPR, a controller holds most of the liability should their organization experience a breach. The processor’s main responsibility, however, is making sure that any controllers they work with are GDPR compliant.

For more information about data processors and controllers, check out the official GDPR website.

5. What Does it Mean to be GDPR Compliant?

In order for a company to be GDPR compliant they must abide by these main principles:

  • Data must be processed lawfully, fairly, and in a transparent manner
  • Data can only be collected for specified, explicit, and legitimate purposes
  • The scope of the data must be adequate, relevant, and limited to what is necessary
  • Data must be accurate and kept up to date
  • Data can only be held for the absolute time necessary and no longer
  • Data must be processed in a manner that ensures appropriate security of the personal data

We recommend that you invest in compliance training and legal expertise if your business falls under GDPR. This will leave little room for error and will provide you with the tools you need to protect yourself and your customers.

6. What Happens if I’m Not GDPR Compliant?

Companies that fail to comply with GDPR face complex administrative procedures and serious fines. These take form in a two-tiered system — meaning that the more serious the infraction, the more serious the consequence.

The maximum fine is 4% of a company’s annual global turnover or €20 million euros, whichever is highest. The lower tier of violations can result in a maximum of 2% of their annual global turnover or €10 million euros.

7. When Did GDPR Officially Go Into Effect?

GDPR went into effect on May 25, 2018.  At this time, any companies that do not provide the required level of data protection will receive a fine.

8. What Does GDPR Mean for My Customers?

The goal of GDPR is to better protect the personal information of citizens and consumers. As such, your EU customers have eight fundamental rights under the regulation. These are as follows:

The right to be informed. Organizations must be completely transparent in how they use personal data.

The right of access. Individuals will have the right to know exactly what information is held about them and how it is processed.

The right of rectification. Individuals will be entitled to have personal data rectified if it’s inaccurate or incomplete.

The right of erasure. Also known as “the right to be forgotten,” this refers to an individual’s right to have their personal data deleted or removed without the need for a specific reason.

The right to restrict processing. Refers to an individual’s right to block or suppress processing of their personal data.

The right to data portability. This allows individuals to retain and reuse their personal data for their own purpose.

The right to object. In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

Rights of automated decision making and profiling. The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

9. Does GDPR Apply to B2B Data?

GDPR regulations apply to all businesses, B2C and B2B alike. Out of all B2B practices, the most threatening to data privacy is cold outreach — this doesn’t mean it’s completely banned though. 

Cold outreach, including cold calling, is still allowed under GDPR, but with some restrictions. What’s most important to remember with cold outreach is making sure senders have from recipients:

  • Explicit Consent: A concise agreement that your organization can use the recipient’s data for a particular activity with informed, given consent. A crucial part of getting explicit consent is offering an opt-in or opt-out option for personal data use (varies from country to country).
  • Legitimate Interest: This may be a bit subjective, but this refers to the purpose and necessity of your messaging. Your outreach has to peak the interest of both your organization and the recipient’s.

10. Is ZoomInfo GDPR Compliant? And How are Customers Affected?

Along with all other companies impacted by this regulation, ZoomInfo is GDPR compliant. This means our B2B contact database satisfies personal data privacy requirements put in place by GDPR. Similarly, ZoomInfo recommends that customers and partners who use, control, or process the personal data of persons within the EU and other European countries to be GDPR compliant.

To make it easier for our customers and partners to comply with the GDPR, ZoomInfo offers the option to filter contacts and companies by location — including the exclusion of individuals identified as EU residents. This functionality presents ZoomInfo users with the ability to remain compliant while using our products.