What GDPR means for good Digital Asset Management?

The EU Data Protection Regulation has come into effect on May 25, 2018, and raises strong feelings in marketing and communications management. You still remember the flood of ”If you want to receive our newsletter in the future” -emails in your mailbox? The first GDPR legal cases have already been in court in Sweden. The Finnish IT-magazine TiVi reports that the defendants include two healthcare companies, 13 non-profit associations, three public sector transport companies, five teleoperators, three banks and 35 government organizations. GDPR commitment is not to be taken lightly.

General Data Protection Regulation (GDPR) is applied in all EU member countries. The goal is to harmonize data protection rules in terms of personal data and to develop EU’s internal digital market. GDPR strengthens individuals’ rights when collecting and processing personal data. Digital asset management needs to be even more carefully designed, since practically all companies handle personal data in various digital assets.

GDPR, laws and regulations

The GDPR applies to all companies in which personal data are processed, whether the company is in the consumer or B2B market. In principle, the company as a data controller is also a data processor. Data can also be processed by external parties, for example in cloud services.

Generally, all physical or digital formats in which personal data are stored and processed are classified as personal records. The data controller is obliged to inform the registered person not only of his rights, but also of the processing of personal data.

Such personal data processing rules include, for example, retention periods for documents containing personal data. Some documents must be kept for a certain period of time, and some of the material may not be stored after a specified period. These kind of rules are not only in the GDPR, but in the laws concerning employment contracts, accounting and privacy. Some regulations are based on recommendations.

Consent and rights to protect your personal data

Companies should protect personal data with different access rights and different roles. With GDPR, the company must be able to demonstrate that the processing of personal data is subject to the consent of the registered person. It must also be possible to withdraw consent easily. For this reason, for example, you can cancel a newsletter subscription with one click.

Quick checklist for the best practice for GDPR compliance

• Train your personnel to GDPR
• Prepare the processes to fulfill the GDPR obligations for reporting
• Update your privacy notices
• Establish processes for the individual information requests related to the personal data
• Inform your personnel about the crisis communication plan – what to do if a security breach occurs

The biggest change to previous data protection legislation is the obligation to demonstrate. It is no longer enough for a company or organization to comply with data protection legislation, but it must also be able to demonstrate it. This can be done through various documents on data protection and the processing of personal data, such as a privacy notice and data security guidelines.

The registered person has the right to request access to and rectification or erasure of personal data. The controller should be obliged to respond to requests within one month.

The company personnel needs to be trained and educated in these kind of requirements, so that everybody knows how to act.

What if the crisis strikes?

Communication professionals working in listed companies know that stock exchange announcements have their own regulations. The accuracy, uniformity and timeliness of information sharing are essential. According to the GDPR, every company has an obligation to report breaches to the data protection authority within 72 hours.

Good crisis communication is, for example, the CEO of a company stepping forward in the media right away and telling what has happened. And also what actions have been taken and what is the plan forward.

It is a serious issue of brand management and the entire business of the company. The reputation of the company is endangered, and serious costs issues are also involved.

The data protection authority can impose sanctions on companies, up to 20 MEUR or 4% of the company’s turnover, whichever is greater.

Pay attention to GDPR in your ecosystem

In addition to your own company, your affiliate network should work under the GDPR when doing business in the EU. GDPR needs to be considered when integrating systems, and for example, when using marketing and sales automation systems.

Gredi stores it’s customers’ digital assets in a 100% secure way in Finland, in the data centers of DataCenter Finland.

We will guide you how the digital assets can be processed and shared through the Gredi Content Hub securely and in compliance with the GDPR. With Gredi Content Hub, you can store, manage, find, archive and control versions. You can also comment, personalize and approve, as well as share and publish information.

We will guide you through best practices and give effective tools and know-how to bring you all the information you need with the GDPR in mind. We will tell you how to automate data processing in a secure way, and how to make data sharing easier. We are here to help you with experience and enthusiasm. Contact us by email myynti@gredi.fi or call +358 10 778 7100.

Achieve more with Gredi Content Hub