GDPR: The New Standard for Privacy
You might have heard of the mysterious new European law that is redefining the word privacy. Privacy is important to us here at @Assist, so we wanted to give you an overview of GDPR and how @Assist will be tackling these requirements for compliance. We also have a few suggested preparation steps for you too.
Please note: this article may be updated from time to time as we move towards compliance. Please revisit this article for updates. This article was last updated Feb 14, 2018.
GDPR is a European Union privacy regulation that is already in effect. It has become a more important talking point as enforcement of this regulation begins on May 25, 2018. GDPR is a broad regulation that applies to all organizations offering goods and services in Europe, whether the organization is located in Europe or not. That means any and all organizations interacting with European residents (including the UK) will be affected by this regulation and will need to comply.
@Assist is getting on board with regulation compliance by the May 25, 2018 deadline. As an @Assist customer, it's important you understand how GDPR affects you and your use of @Assist's products and services.
Please note, here at @Assist, we're digital wizards but we're NOT legal counsel. This blog post is meant for informational purposes only, not as legal advice. We encourage you to consult legal and other professional counsel to fully understand how GDPR applies to your organization and/or business activities.
What is GDPR?
The General Data Protection Regulation ("GDPR") is an EU privacy regulation that intends to strengthen and harmonize EU data protection laws and enhance individuals' rights to their personal data. GDPR expands the scope of what is considered personal data and imposes additional obligations on data controllers and processors intended to strengthen protections for personal data of EU residents and help them control and manage what happens to this data.
Who does GDPR apply to?
Technically, GDPR only applies to companies that collect or process EU residents' personal data. BUT because the world wide web is freely accessible, GDPR rules are best followed by everyone. It doesn't matter what industries you work in, whether you're a B2B or B2C business, whether you're a for profit or not-for-profit/non-profit, whether you're based in the EU or not, or whether you're specifically targeting EU customers or not. If it's possible for your company to collect personal data from an EU resident, even unintentionally, you'll need to comply, and so it's important you familiarize yourself with the rules of GDPR.
When will I need to comply with GDPR?
The deadline for GDPR compliance is May 25, 2018. That date seems far off now, but we recommend getting clarity and familiarity with GDPR now so you know what changes to make and can plan to do so in time.
What does GDPR mean for companies?
GDPR gives expansive protections for the personal data of EU residents. There are new privacy rights, stricter consent requirements, and more transparency required regarding how data is used and processed after it's collected. Meaning, you've likely got some work to do. The good news? This will help you cover your bases in the long run with general consent and privacy protection for ALL of your web visitors as long as you implement these changes effectively and revisit how your company handles personal information online and offline.
Rights of data subjects (aka EU residents)
GDPR creates some new privacy protections for EU residents:
Right to Rectification – EU residents can ask that their information be updated or corrected.
Right to be Forgotten – EU residents can ask that their information be permanently deleted.
Right of Portability – EU residents can ask to have their information exported so it can be transferred to another organization.
Right to Object – EU residents may seek to prohibit certain uses of their personal data.
Right of Access – EU residents have the right to know what personal data has been collected about them and how it's being used.
The stricter stuff (consent requirements)
GDPR requires that an individual give informed, affirmative consent for each way their personal data will be collected, used, and processed. So this means: opt-in, opt-in, opt-in! You'll need extra statements on your forms AND websites that details exactly how the information will be used with empty check boxes that require a click to consent. You cannot collect, use, or process personal data for one purpose and then also use that data for another purpose. So, if you'd like to diversify your use of the info, such as receive your ebook AND occasional updates and offers, you'll either need to get consent again for the additional type of use, or include that use in your original consent request. Pre-checked boxes, assumed consent, and inactivity does NOT count as consent.
These consent requirements also apply to any currently existing personal data you have of EU residents. If you have already obtained consent from an EU resident as will be required by the GDPR, you don't need to obtain consent again. If, however, the previous consent does not meet the new GDPR standards, you will need to obtain new and sufficient consent. This could mean a little leg work on your part, but it has to be done.
Transparency in data processing
You must give EU residents the following transparent information about the processing of their personal data:
• Specific purpose for collecting the data
• How long the data will be retained
• Other details (refer to the full GDPR regulation)
Note, that this is not a comprehensive summary of all the changes GDPR brings. For more information on the key changes coming with GDPR, you can read the full text of the regulation here.
What happens if I don't comply?
You will definitely want to be in compliance ahead of the May 25, 2018 deadline. Non-compliance can lead to fines up to 4% of annual global turnover or €20 Million (whichever is greater). But fines or no fines, the time and effort involved in dealing with the aftermath of a data breach and a security audit could be debilitating to your business. Take the steps for compliance now.
What is @Assist Doing?
@Assist will comply with GDPR by the May 25, 2018 deadline and make the majority of the updates available for all of our customers regardless of their country of residence.
As a customer of @Assist, GDPR grants you expanded privacy protections and rights. We will be prepared to comply with these regulations and handle requests from you so that you are also in compliance.
Right to be Forgotten – You may cancel and terminate your @Assist account at any time. After receiving a request to be forgotten, we will permanently delete your account and all data associated with it within 30 days of receiving the request.
Right of Portability – You may export your data in various formats so it can be transferred to a third party.
Right to Object – At any time, you may object (via unsubscription/opt-out) to your personal data being used for specific purposes such as direct marketing.
How @Assist will help you comply with GDPR requests from your customers and residents
GDPR expands privacy protections and rights to your customers and residents. @Assist aims to help you comply with requests you receive from your customers and residents.
Right of Rectification – You can always update your customer and resident's information. Your customers and residents can also change their information via the customer and resident portals. They may also reach out to @Assist directly and we'll correct or delete that information for them.
Right to be Forgotten – If you receive a request to be forgotten, you're able to delete a customer or resident, which permanently removes the information from your account. If your customer or resident reaches out to us directly with a valid request, we'll notify you about the request and delete the customer or resident's data from your account, or across all @Assist accounts, if requested, in order to comply with GDPR.
Right of Portability – If your customer or resident requests their personal data, you will be able to export their data as a .csv file, which we will make available to you via a secure connection.
Right to Object – If your customer would no longer like to receive communication from you, they will be able to do so via an unsubscription link.
How You Can Prepare
Require Opt-In confirmation
To make sure you're following the informed, affirmative consent requirement, we suggest using double opt-in forms or offline consent forms with clear verbiage to add your customer or resident's email addresses and other contact information to @Assist and send them messages.
GDPR requires that you make it as easy to opt out as it is to opt in. Communication you send from @Assist will include an unsubscribe link (email) or link to an information page where unsubscription is possible (SMS).
Edit and delete customers and residents
The right to rectification applies here. This means that a customer or resident can request to have his or her information updated and corrected. He or she can also request to have personal information deleted. We make it easy for you to find a specific customer or resident and update their information. If they have access to the customer and resident portals, they can also update their own information. We will implement a feature to allow them to request to be completely removed.
Export individual customers and residents
Right to portability and right of access requests both require you to be able to export data belonging to a particular customer or resident. @Assist will be implementing features to make this possible for you via your account, as well as via the customer and resident portals.
Add an affirmative consent and usage statement to your opt-in forms
Per GDPR guidelines, you have to tell individuals specifically how their information will be used. You also have to get their consent for said use. We suggest you make how you'll use collected personal data explicitly clear on your opt-in consent forms. We recommend getting the counsel of a qualified legal professional, as we cannot provide the verbiage you should include. Remember, verbiage depends entirely on how you plan to, or are already using an individual's data.
Delete non-essential information
Because GDPR is meant to protect the privacy of EU residents, that also means minimizing data risk. So, deleting personal data that you no longer need is an obvious requirement. Delete inactive properties, residents, users, files, clients and projects in your @Assist account. If you aren't using the data, delete it.
Document your data-handling processes
If you collect and handle private information, understanding the journey and process of that data is especially important. GDPR requires that you keep this log up to date and train others in your company on the safe handling of this data as well.
Seek qualified legal advice
Because you're an @Assist customer, we care about helping you prepare for GDPR compliance. BUT GDPR regulations are expansive, which means they likely affect other parts of your business too. We strongly recommend that you consult a qualified legal professional to understand and prepare to full comply with GDPR as a business.
While the EU is the first to enact strict regulations on privacy, it isn't the first company to take action. Canada also has begun prosecuting companies based on complaints made by its citizens for failing to follow Canada's anti-spam regulation as of July 2017. It's best to get compliant now as other countries come on board.
Are you working to become GDPR compliant? What are some of the challenges you have been facing getting there? We welcome your questions and comments below.