Is your organization prepared for the Global Data Protection Regulation (GDPR)? This new E.U. legislation goes into effect on May 25, 2018. We recently hosted a webinar to detail what you need to know and how you can prepare*. Check out the most commonly asked questions below for a primer on how you and your organization can learn and prepare for the changes.
*Disclaimer: This information is not legal advice for your organization’s GDPR compliance. Rather, it is background information to help you better understand the GDPR legislation. This legal information is not the same as legal advice from a licensed attorney. We recommend you consult an attorney for official legal advice as it relates to your company’s GDPR compliance and application of the following information.
How GDPR Works
Question: What is the GDPR?
Answer: The Global Data Protection Regulation is legislation that replaces the European Union’s previous directive on general privacy guidelines. This new legislation aims to consolidate many different European directives and add consistency for email and email subscription regulations.
Q: When does it go into effect?
A: The official compliance date is May 25, 2018.
Q: Who does it effect?
A: GDPR affects any company using personal data from EU citizens, no matter where that company is based. According to some sources, this adds up to approximately 750 million people, 10 times more than the Canadian Anti-Spam Legislation, CASL.
Q: What is the difference between “personal” and “sensitive” data?
A: Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
These two labels are not separate in GDPR compliance – both labels are used interchangeably and describe the same type of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
Q: Does Brexit mean GDPR won’t apply to the UK?
A: GDPR applies until the UK’s formal exit from the EU. After a formal exit, the UK will have to implement its own law, and the UK government has indicated it will implement a GDPR equivalent.
Q: How can we comply with the new regulations?
A: You can only send email to those EU citizens who have actively and specifically opted in to receive messages. This means it retroactively applies to any subscribers you did not originally gain permission from or have sufficient proof of permission. You must collect affirmative consent that is “freely given, specific, informed and unambiguous.”
GDPR also requires adequate information on how every recipient’s data will be used (i.e. records). If a recipient/subscriber requests their data from your company/organization, you must provide that information. Anyone has the right to confirm or access data that a company has on them.
Q: What documents should my organization prepare and make available for GDPR compliance?A: Consider the following:
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments
Q: Full compliance seems onerous for organizations with limited resources. My company is small. How aggressively will GDPR be enforced in the US and for smaller organizations?
A: The GDPR carves out an exemption from certain record-keeping activities based on company size, but companies are still required to comply with many/all of the regulations when processing EU data. Controllers and processors each have their own documentation obligations:
- If you have 250 or more employees, you must document all your processing activities.
- There is a limited exemption for small and medium-sized organizations. If you have less than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, or involve processing of special categories of data or criminal conviction and offense data.
Q: What are the penalties for non-compliance?
A: Non-compliance with GDPR can lead to fines up to 20 million Euros, or 4% of a brand’s total global annual turnover (whichever is higher).
Data Processors and Data Controllers
Q: Can you define Data Processor and Data Controller?
A: Article 4 in GDPR legislation defines data controllers and data processors as such:
- (7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Q: How do you know if your organization is a Processor or a Controller? Please give examples.
A: The EU’s GDPR web resources provides an example: “…if Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor. This distinction is important for compliance.
Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.”
Q: Are we subject to GDPR if our members or organization are not in the EU?
A: You are subject to GDPR if you collect personal and/or sensitive information and send communications to EU citizens.
Q: We only collect certain types of information on EU citizens (names, emails, phone numbers). Does GDPR still apply to us?
A: Yes, GDPR applies to any company/organization collecting personal and/or sensitive information on EU citizens. This includes information such as names, emails, and phone numbers.
Q: What constitutes “opted in” and can our current database be exempt from the new law?
A: You can only send email to those EU citizens who have actively and specifically opted in to receive messages. This means it retroactively applies to any subscribers you did not originally gain permission from or have sufficient proof of permission. You must collect affirmative consent that is “freely given, specific, informed and unambiguous.” If you have previously collected sufficient proof of permission, you do not need to gain permission from subscribers again.
Q: If our organization only collects email addresses and clearly provides an opt out button, do we comply?
A: An opt out button is not sufficient proof of permission and does not qualify as compliance.
Q: We have years of historical data regarding subscription lists. Are we required to reach out for new, active consent? Can we assume consent for long-term members and subscribers?
A: You cannot assume consent unless you previously gained permission from and have sufficient proof of permission.
Q: Can you request that your data be removed, rather than simply opt out?
A: Yes, an individual can request to both opt out and have their information removed.
GDPR and Higher Logic
Q: What is Higher Logic doing to prepare for GDPR?
A: As a vendor, Higher Logic is considered a data processor. This means we handle client data according to that client’s instructions. The products aren’t GDPR compliant, but rather it is how a client uses the products to be compliant or not. Higher Logic provides features to ensure you can implement products and fulfill compliance.
We invest a lot in our security infrastructure. We regularly do external security penetration tests, and we work with consultants and experts to ensure we have the right operational practices in place. We log data for analysis, verification, and tracking purposes to help ensure the applications are performing as intended. Finally, as a processor, if there is something problematic or amiss we will notify you and provide information you may need to communicate to end users.
Higher Logic recently achieved the TrustArc certification that confirms globally recognized privacy requirements, including Fair Information Practice Principles, OECD Privacy Guidelines, APEC Privacy Framework, and the EU-U.S. and Swiss-U.S. Privacy Shield Principles.
Q: Do we need to comply with GDPR if we use Higher Logic products?
A: GDPR applies to any company/organization collecting personal and/or sensitive data on EU citizens, no matter where that data is stored.