The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this PDF specifically prepared by Infinity Intellectuals, Inc in association with our Channel partners UK Marketing Management Ltd & US Marketing Management, Inc.
25th May 2018 - at which time all organizations in non-compliance will face heavy fines.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27th April 2016. It becomes enforceable from 25th May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.” The GDPR also brings a new set of "digital rights" for EU citizens in an age when the economic value of personal data is increasing in the digital economy.
The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
The regulation does not purport to apply to the processing of personal data for national security activities or law enforcement within the European Union; however, industry groups concerned about facing a potential conflict of laws have questioned whether Article 48 of the GDPR could be invoked to seek to prevent a data controller subject to a third country's laws from complying with a legal order from that country's law enforcement, judicial, or national security authorities to disclose to such authorities the personal data of an EU person, regardless of whether the data resides inside or outside the EU. Article 48 states that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third (non-EU) country and the Union or a Member State, The data protection reform package also includes a separate Data Protection Directive for the police and criminal justice sector that provides rules on personal data exchanges at national, European and international level.
APPROACH & IMPLEMENTATION – STEP BY STEP PROCESS BY INFINITY INTELLECTUALS, INC
➢ Firstly, to process data under GDPR, since we are the Data Owners & Controllers, we have appointed an in-house Data Protection Officer who can be reached at : officer@infinity-intellect.com
➢ As Data Controllers we hold only B2B data of close to 2 million executives (Data Subjects) across Europe.
➢ We hold the below data fields of the data subjects: Company Name, Website addresses, Full Name, First Name, Last Name, Job title, Email address, Telephone number, Fax number, Postal Address with City, State, Zip/Post code, Country, Industry Type, Annual revenue, Employee Size.
➢ Data Sourcing & Generation of Data Subjects: We have an extensive unit of research experts in Data Compilation who constantly accumulate and qualify lists from over 10,000 Global sources. Our few sources of data collection are: Registrations, 5,200 Yellow Page and Business White Page Directories, Public records, Leading Business Magazines, Newspapers and Company Newsletters, Corporate & Executive registers, Postal records, Surveys, Questionnaires, Census data, Voter registrations, Telemarketing efforts, Mail & Telephone inquiries, Re-seller Programs, Telephone directories, Rebate coupons, Subscriber order forms, Warranty card registrations, Entry forms, Credit & Financial data, SEC listings, Institution information, Conference/Trade show/Seminar attendee registrations, Government records, Opt-in email responses, Publishing companies and many more. All information is derived from proprietary, self-reported data, or sources of public records. It is obtained legally and ethically under strict list industry rules, regulations, and guidelines.
➢ Information to Data Subjects: Since December 2017, we have been sending out GDPR compliance newsletters to all our data subjects (close to 2 million executives) on biweekly newsletters which outlines how their information was sourced, what information we hold, what means we intend to use, why we are holding their data, how we will be using their business data as we intend to use them for 3rd party email marketing activities only based on “LEGITIMATE INTEREST” etc. Link to the newsletters can be found in the last page of this document.
➢ Data Subject Rights:
- To be informed : Infinity’s approach through GDPR compliance newsletters
- Access of their information/data: We are accessing their information based on Legitimate Interest & Fair processing policy.
- Notification: The data subjects are guided to multiple links such as : privacy policy, fair processing policy, GDPR guidelines & implementation policy etc. all these links are part of the email newsletters we use.
- Deletion: Through opt-outs of GDPR & Legitimate Interest newsletters.
➢ Coding & Record ID: Since we send out bi-weekly newsletters on GDPR & Legitimate Interest basis data validation, post opt-outs from these newsletters, each & every data subject will be given a unique code/record id based on country segregation. We plan to send out as much as newsletters as possible so that we accumulate data subjects Legitimate Interests in their information being sold/rented to 3rd party companies for their marketing solicitations.
➢ Legal & Lawful Process & Methods used for Data Subjects:
- Infinity has processed Due Diligence & Audit Document.
- We have a lawful basis to carry out profiling and/or automated decision-making and document this in our privacy policy.
- Infinity is using Legitimate Interest as the process to source their personal (Business related) data only used for 3rd party marketing activities.
- 3rd marketing solicitations are processed only based on screening, profiling of data subjects interests, targeted newsletters products/services based on their job profile & industry classification.
- Infinity is processing data subject’s details with fair & transparent code of conduct.
- Infinity is using Legitimate Interest for the collection of data subjects B2B data that is readily available in public domain.
- We only hold their B2B data fields as outlined earlier & do not hold any of their personal details or information about their bank account, home address, phone, children etc.
- Infinity is processing data subjects purely on B2B context for 3rd party marketing solicitation which is widely used only for emailing, tele-calling etc.
- Infinity has in place fast & transparent dispute resolution process.
➢ Security Features & Data handling:
- Data is held in in-house servers which are password protected by Business Owners & Data Protection Officer.
- All data transfers including samples, data delivery are encrypted.
- Data is accessed by Data Protection Officers only on need to know basis only.
➢ Subject Access Request: Information/details of the data subjects will be shared when questioned along with proof of Legitimate Interest newsletters.
➢ Opt – Outs: Opt-outs links are provided in newsletters – apart from this we will also provide online opt-out for direct access of data subjects to opt-out any point of time. All opt-outs are processed once in every 22 business days (once in every month). WE run constant monitoring on any kind of opt-outs & data breaches if any & the same will be notified to all the data subjects via newsletters.
➢ Auditing: Audit of data subjects are carried out once in 45 days by our Data Protection Officer & ensure all opt-outs have been suppressed, new data subjects being added, outdated & old data subjects removed from the master file.
➢ Data Brokers & Processors: Apart from having the data subjects details with us – Data owners (Infinity Intellectuals, Inc) we will also be processing data subject’s details to our Data Brokers & Processors such as: UK Marketing Management Ltd. registered in England and Wales. Company Reg No 4143451 having their Registered office at : 9 Ivy Way Dickens Heath Solihull West Midlands B90 1RR VAT No. 765 0432 37, along with their subsidiary company US Marketing Management Ltd having their registered office at 19 West 34th Street, Suite 1018, New York, NY 10001.
➢ Conclusion: Infinity Intellectuals, Inc is committed to an ongoing program to ensure full GDPR compliance by May 2018. We have consulted professionals in this field & have taken suggestions from the industry experts, also have formulated this guideline program on the basis of GDPR compliance. Continuous training both in the form of webinars & in-house has been processed at every step to match the formulations & process. Future sales has been taken into consideration for processing data subjects under GDPR.