Over the past few months, we have all become very aware of the General Data Protection Regulation (GDPR), with extensive coverage and discussion within our industries and the wider mainstream media. This new EU legislation came into force on May 25th this year and is built on the concept of ‘privacy by design’. In the UK it replaces the earlier Data Protection Act and goes further in protecting the privacy of individuals’ personal data.

 

How does GDPR impact on a publisher’s relationship with Spatial Global as your mailing services provider'

For a start, GDPR extends beyond your own systems. A publisher holding mailing lists or other personal data is referred to as the ‘data controller’, and as your fulfilment partner we are your ‘data processor’. GDPR means all media publishing companies should have taken a close look at how they collect and manage people’s data both within their organisation and throughout their supply chain.

 

You are regarded as the custodian of data

As the data controller you are considered to be the custodian of data, not the owner, since the GDPR puts the ownership of the data squarely back into the hands of the person it belongs to (the individual). As the data controller you determine why and how any personal data you control is processed. Under GDPR, it is the data controller that must exercise control over the processing and carry responsibility for data protection. In short, you need to ensure that any company processing your data – your mailing house, for example – is fully compliant with GDPR.

 

Tackling the challenges of GDPR

Experts recommend that every business should have a map of all the data held across their entire organisation. This data inventory should encompass both employee and commercial data. You may have data spread across multiple locations, e.g. in cloud storage, on laptops, on servers etc. 25th of May was just the start: ongoing compliance is about maintaining a level of record keeping including data transfers, data recipients, your legal basis for processing, subject access requests and retention periods.

 

What does this mean'

1. The data controller determines the purpose for which data is processed.
2. The data controller remains responsible for ensuring their processing complies with GDPR (whether they do it in-house or engage an external data processor).
3. The data controller must conduct appropriate due diligence and be confident that any supplier they share data with is fully compliant with GDPR.

 

What you’ll be pleased to hear

Spatial Global has invested in adapting our processes to comply with the GDPR. Our customers have received a copy of our Data Processor Policy, which confirms our obligations within GDPR and the steps we take to ensure data is processed lawfully, fairly and in a transparent manner. We’d welcome you to visit our facilities and witness our data security processes first hand, but you can rest assured we keep your data secure and operate with care and diligence to ensure your interests are protected. Spatial Global only processes customer data in accordance with your instructions and operating within the GDPR.

John Langton, IT Manager – Spatial Global

>