GDPR AFTER THREE MONTHS Three adjustment challenges and how to overcome them

Filip Jakopović
 August 30, 2018.

The application of GDPR ongoes for three months. There was a lot of fear and confusion among companies, but the average citizen was given the opportunity to access their aggregated personal information on social networks, more clearly explained ways and purpose of processing this data when using loyalty programs and sending marketing materials to the email address

Over the past few months, the concept of GDPR has embarked on the collective consciousness of Croatian citizens, partly because of everyday articles on the subject in the media, partly because of requests for irritating consent forms sent by e-mail. Behind this concept is the Universal Data Protection Act (GDPR) that came into effect on May, 25 when its popularity on Google overcame the World Cup at the front, as well as numerous world stars such as Rihanna, Beyoncé, or Lionel Messi. Today, three months after, the number of searches has returned within the usual framework and many portals have ceased to inform citizens and organizations on the obligations the Regulation will introduce. The result of these articles has often been the deepening of confusion and fear of the Regulation and the rigorous penalties it prescribes. On the other hand, the result of the Regulation is a clearer process of processing personal data.

Data Access

There are three examples in which an average citizen could get acquainted with the Regulation: the ability to access their aggregated personal data on social networks, the more clearly explained ways and purposes of processing personal data when using a loyalty program, and giving them permission to send marketing material to an email address. Related to this, companies have the challenge to identify the personal information in their possession, revise or establish their privacy policies and personal data handling, and establish the legal basis for each process of handling or using personal data in their business.

Loyalty cards

Many merchant chains in Croatia are using loyalty programs through cards, QR codes and alike. So, without us being aware of this, our purchase habits became the subject of analysis, and we were the subject of profiling whereby the chains were trying to predict our purchasing habits. Although requirements and rules already exist, they have often been superficially written, insufficiently informative and detailed, so that an individual could not get a clear picture of what personal information is provided to companies, for what purpose and what will be done with them. As a result, personal data of individuals could be shared with non-sanctioned third parties, used for purposes that were not initially envisaged, and used in other ways provided by vague privacy rules. The Regulation has put this to an end, with a clear explanation of the information that needs to be provided to the individual when collecting personal data. In weeks before the introduction of the Regulation, many chains changed the privacy policy’s use of the loyalty program, some even issued brand new cards and programs, all to adjust privacy requirements to the Regulation requirements.

Email rescue

The best advantage that came with the Regulation is filtering out a large number of ‘newsletters’ that come to our inboxes every day. Prior to the Regulation, many organizations that collected our e-addresses for various purposes unilaterally decided to use them for sending marketing materials. With the Regulation, all these companies have to prove that each individual they send these materials has given them a clear and unambiguous consent, most of which did not have them. In order not to be left without the ability to send marketing materials to masses, the companies sent out panicky consent requests on the 25th of May, hoping to respond as quickly as possible and to maintain their marketing reach.

A lot of workload for the companies

To cope with these challenges, companies must make a series of steps. To identify all personal data in a company’s possession, it is necessary to revise all business processes to detail, focusing in particular on personal information that needs to be clearly identified and distinguished. This process should cover all departments and business processes, both internal and external, as it can only create a complete image of company-wide personal data and meet the individual’s demand for access to all of their personal information. The solution to inadequate privacy policies is their modification. The first step in this is to identify the discrepancy of the current content and the way of communicating the privacy policy to the users with what the Regulation requires.  The scope of information provided to users in the collection of personal data, the way privacy policy is disclosed (must be clearly separated from other rules of use), and also the manner in which the user gives the consent should be borne in mind. Based on identified deviations in these areas, companies had to change certain areas, but often create completely new privacy policies that were aligned with the Regulation. Related to this, but also with the last challenge outlined in this article, in order to avoid penalties, companies must use personal information only for the purposes for which they have individual consent. Companies that used e-mails from individuals to send marketing materials had to analyze the ways that e-addresses were collected. For example, if a user gave an e-mail address when registering at a web store, he did not give permission to submit promotional offers to his / her email address. The use of an e-mail address as a marketing channel must be clearly separated and the individual must give his/her consent, also under the terms and in the manner dictated by the Regulation. Only the appropriately given consent can be considered as a legal basis for sending a ‘newsletter’ to an individual’s email address.

The practice is created along the way

Based on these and many other challenges that companies face, a basic conclusion after several months of work on alignment projects is that this topic is complex and new to all stakeholders, mostly because it is not possible to map an example of good practice from other countries because the Regulation became binding for all organizations, from Bosnia and Herzegovina to Sweden on the same day. Namely, even companies outside the EU who handle personal data of EU citizens must embed it in the business and comply with its requirements. Nevertheless, we can all actively follow the disclosures, guidelines, and opinions of the Personal Data Protection Agency (AZOP), the European Data Protection Board (EDPB) or some foreign supervisory body, such as the British Information Commissioner’s Office (ICO). While breaking through this forest of information, experts from Apsolon are available to you as external help in the process of alignment.


What companies must do

  • To identify all the personal information the company possesses, it is necessary to review all business processes to detail, focusing in particular on personal information.
  • The first step in this is to identify the discrepancy of the current content and the way of communicating the privacy policy to the users with what the Regulation requires
  • In order to avoid penalties, companies must use personal information only for the purposes for which they have individual consent. Those who used the e-mail address of individuals to submit marketing materials must analyze the ways in which their e-mail addresses were collected.