GDPR and Epsilon: Our Preparation Efforts

Epsilon supports the principle of GDPR – to strengthen and unify data protection for all individuals in the EU.

GDPR: What, when and why?

On May 25, 2018, the General Data Protection Regulation (GDPR) is going into enforcement. GDPR replaces the existing data protection law in the EU called the EU Data Protection Directive. GDPR is a regulation that intends to give control back to European Union citizens and residents over their personal data and to simplify the environment for international business.

GDPR will significantly affect organisations worldwide that collect and/or process personal data of individuals working, visiting or residing in the EU. Specifically, the regulation impacts how companies collect, process, retain and delete personal data. For instance, there are new, enumerated obligations around breach notification and “accountability.”

How Epsilon is continuing to prepare

Epsilon has been working hard to prepare for GDPR, and will continue to do so as additional guidance is released.

Epsilon has created teams of associates from cross-functional business lines to manage our GDPR preparation. These team members include technologists, engineers, security professionals and the legal team. These teams are working together to review our services and technology platforms to help safeguard both Epsilon and its clients.

In particular, Epsilon has:

• Provided regular education and updates to senior executives about GDPR obligations;
• Delivered and will continue to provide training to associates around the enumerated obligations of GDPR;
• Brought its data inventory and mapping process up-to-date, including revising its data classification standards, per the refined definitions of Personal Data in the GDPR;
• Continued to ensure it has a lawful basis to collect, use and store data, as enumerated by GDPR;
• Created, and will continue to update, its GDPR remediation and implementation plans by solidifying its internal privacy network and appointing privacy “champions” in each business practice;
• Been building tools and processes that meet GDPR's data subject right requirements, including data access requirements;
• Continued to review and update security procedures and policies to determine what, if any, additional procedures or policies it will need to revise or implement to ensure its compliance;
• Commenced revising agreements with clients and vendors to reflect contractual requirements set forth in GDPR.

Epsilon continues to monitor and study the additional guidance documents released by local Data Protection Authorities and the Article 29 Working Party to better understand its obligations. Epsilon is also leading industry efforts around comprehending how GDPR applies to its businesses. Working closely with industry groups, such as the Direct Marketing Association in the UK, Epsilon is helping to shape and create guidance materials to present to the local Data Protection Authorities and Industry as a whole that will help address existing open questions around certain GDPR requirements. Epsilon is also an active member of the Data Protection Network (DPN), an organisation that provides expert opinions on data protection.

DPN has provided the valuable Guidance on Legitimate Interests under GDPR.

Epsilon urges its clients, partners, and vendors to review and understand their responsibilities under GDPR, as compliance is a collective responsibility. This includes changes around obtaining data subjects’ consent and enhanced data subject access rights.

Further resources:

Information Commissioner’s Office (ICO UK Data Protection Authority)

Overview of the General Data Protection Regulation (GDPR)

Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now

Guidance: what to expect and when

Data Protection Network

Legitimately using Legitimate Interests – new guidance