Prepare for GDPR

Disclaimer: This blog post is not legal advice for use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. You may not rely on this as legal advice, or as a recommendation of any particular legal understanding.

Over the past few months, HDMZ has been reviewing the General Data Privacy Regulation, or GDPR, going into effective on May 25, 2018. The primary function is to establish one single set of data protection rules across the EU, and provide individuals with better control over their personal data.

The new principles governing the use of EU audience data require all companies to:

• Obtain personal data fairly (explicit opt-in only) and process only for the specific, authorized purpose
• Keep personal data secure and up-to-date
• Retain personal data only as long as needed, then delete
• Provide updates or delete data upon request
• Maintain and adhere to transparent documentation of data management procedures

Does it apply to me, if I’m not located in the EU?

The GDPR does apply to non-EU businesses who market products to people in the EU or who monitor behavior of people in the EU. If you control or process the data of EU citizens, even if you’re based outside of the EU, the GDPR will apply to you.

How does the GDPR define our role? (courtesy of Hubspot’s GDPR glossary)

Controller
A company/organisation that collects personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed, you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.

Processor
A company/organisation that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data.
 

At HDMZ, we have always prioritized transparency and accountability, and we’re optimistic about the impact of these changes. We've been working hard to ensure we're ready to fulfill our roles as Processor and/or Controller, as applicable. In addition to all the security standards we already uphold, we'll be making a few updates to Terms of Service. Keep an eye out for an update in the weeks to come.
 

Resources:

• Full text of the GDPR
• Glossary of Terms (Hubspot)
• Overview of Important Changes (Hubspot)
• GDPR Checklist (Hubspot)
   

Discussions of GDPR Implications:

• PharmaTimes: Navigating privacy risks, GDPR and beyond
• Microsoft: Whitepaper
• Absolute Healthcare: Whitepaper
• Mintz Levin: Practical GDPR Steps for US-HQ Life Sciences Companies
• HealthcareIT News: What US health orgs need to know
   

Platform-specific Resources:

• Google Analytics
  • EU user consent policy
  • Terms of Service
  • Data processing amendment
  • Data retention changes
     
• Google AdWords
  • Personalized advertising policy
  • Advertiser cross-device linking policy
     
• Doubleclick
  • Advertising program terms
  • Ads data protection terms
  • Ads data processing terms
     
• Google Tag Manager
  • Terms of Service
     
• Data Studio
  • GDPR Subprocessor Appointment