General Data Protection Regulation.
On May 25, 2018, a European privacy regulation called The General Data Protection Regulation (GDPR) came into effect. It provides EU citizens with greater control over their personal data and assurances that their information is being securely protected. The GDPR is the EU’s way of giving individuals more power over their data and less power to the organizations that collect and use such data for monetary gain.
This applies only to music groups in the EU (UK groups, see Brexit question below).
According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
GDPR defines 3 roles:
GDPR has 2 main objectives:
Muzodo data is securely handled and stored in Europe on our servers in Germany.
GDPR includes the concept of "privacy by design". Organisations must review their processes to ensure all data handling aspects are compliant. Muzodo was built from the ground up with security in mind.
There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
It is uncertain at this point if the UK will retain the GDPR post-Brexit. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard.
Music group administrators are the "data controllers" and have the obligation to ensure their members' data is collected and processed in a manner consistent with the GDPR regulation. They must ensure the systems (processors), whether formal systems, or storing member data on their computers, that they comply with the regulation.
No. DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.