Q&A: All the GDPR Answers You Need
On May 25, the EU’s General Data Protection Regulation (GDPR) will go into full effect. This will affect businesses not only in the EU but worldwide. There are a lot of questions and concerns surrounding the regulation, so we’re here to answer them. The following is a Q&A from a Partner webinar featuring Matt Joseph from VeraSafe.
How does the GDPR apply to social media?
Answer: The GDPR applies to personal data processed for the purposes of social media marketing campaigns, communication with customers via social media, and using Facebook tracking pixels and similar technologies. However, the specific impact depends on the manner that the social media are used. Social media isn’t specifically discussed in the GDPR, so there are no aspects of the GDPR that are unique to social media or social media marketing.
Related to Article 6: What if you're tracking activity on a site (page views, link clicks, etc.) but not storing any contact info (PII as we've called it before). Does the GDPR still apply? For example, an application that sets a Facebook tracking pixel cookie (used for retargeting ads) from clicking on a link in a social media post. The application would not ever collect or store info like first, last, email etc.
Answer: In Europe, the usage of tracking pixels and similar tracking technologies is regulated by the ePrivacy Directive, which is expected to be replaced by the new ePrivacy Regulation. The new ePrivacy Regulation is currently being negotiated and written by the various institutions of the European Union.
The final text of the ePrivacy Regulation is not available yet, but the current version doesn’t require processors to obtain consent for non-privacy intrusive cookies. This includes: storing of cookies for the duration of a single established session on a website to keep track of the end-users input when filling in online forms over several pages, in measuring web traffic to a website, or similar uses.
Therefore, the new ePrivacy Regulation, as a law that specifically covers the processing of personal data in the field of electronic communications, prevails over the GDPR in case of a conflict between the two laws.
Ultimately, this question can only be answered after the ePrivacy Regulation is adopted by the EU.
Does the GDPR apply only if a customer buys something from a website?
Answer: If you are offering services to a data subject in Europe, they do not necessarily need to buy something from you, in order for the GDPR to apply. That said, when you go out of your way to offer goods or services to the people in the EU, the GDPR likely applies to you.
Article 6(1)(b) of the GDPR says that certain data processing activities are lawful if such processing activities are required for the performance of a contract. What if the offered services are free of charge (e.g. regular emailing cat photos to your subscribed customers without requiring them to pay)? Do we have a contract and can this be considered as a legal basis for lawful processing of personal data?
**Answer: **Depending on the business model, this can be a valid approach. Please note that the use of pre-ticked opt-in boxes is not valid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely using a service (without first ticking a box to indicate agreement) don’t count as “consent”.
In the CRM, we need to indicate which legal ground (basis) is used for handling customers’ data (e.g. consent, contractual necessity, or legitimate interests). Where can we find a more elaborate definition of each of these grounds?
Answer: The categories or basis of processing are the following: a) consent of the data subject; b) processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Check out this blog post for more info.
If a CRM record has no “basis of processing”, will the system automatically start anonymization? What if they are a non-EU record? If they are a US record, will the system leave them in?
Answer: This behavior will be customizable by users of the application.
What are the tax audit implications, if the personal information in a CRM record becomes gibberish (anonymized)?
**Answer: **This may vary from one jurisdiction to another. However, the fields to be anonymized will be configurable and customizable. Check with your accountant about which fields you can’t anonymize.
Concerning the data anonymization feature, how will it be implemented?
**Answer: **This feature is still in the planning phase, but our aim is to enable each user to customize which fields to include in this “anonymization” overwrite. For example, let’s say you use custom fields to collect some personally identifying data, and some custom fields to store non-personally identifying data – you could configure this tool based on where your personally identifying data lies, and only anonymize the data that you deem to be personally identifying in your situation.
I am building a membership site using Infusionsoft/Memberium/LearnDash/Social Learner and will be offering a FREE basic membership level. If I ask new members to accept my terms and conditions before I grant access to the content as part of the onboarding process, does that constitute a 'contract' and, therefore, satisfy Article 6? Obviously, I will want to upsell them with paid products, so if I send them marketing emails from the membership site/app does that comply with the GDPR rules?
Answer: Yes. But that “contract” strategy will only enable you to use the personal data which you strictly need in order to perform your obligations under that contract.
If you collect other types of personal data, other than what’s strictly necessary to honor the customer’s contract, then you could consider consent as an alternative valid basis of processing. Upselling them on paid products also wouldn’t be strictly necessary for you to perform your obligations under the contract, so perhaps processing on the basis of consent, or on the basis of your legitimate interests would be more appropriate in that situation.
What categories of data fall within the definition of sensitive personal data under the GDPR? Are birthdates or credit card details seen as “sensitive personal data” by the GDPR rules?
**Answer: **According to Article 9 of the GDPR, special categories of data or “sensitive personal data” are defined as: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
If I am marketing to people in the EU, do I need to have an EU Representative? ** Answer:** Yes. If you are offering goods and services to people in the EU, for free or for a fee, and thus processing their data, in most cases, you will need to appoint an EU representative, as required by Article 27 of the GDPR. For example, Infusionsoft’s GDPR Article 27 representative in Europe is VeraSafe Ireland Ltd.
What about after Brexit? Presumably, a Data Protection Officer in England wouldn't be an EU Representative.
**Answer: **Correct. Post-Brexit, a representative located in the United Kingdom could no longer lawfully be considered a representative in the EU, within the meaning of Article 27 of the GDPR.
With that being said, it’s important to remember the United Kingdom will remain a Member State of the EU until the date of its formal withdrawal on March 29, 2019. From May 25, 2018, until March 29, 2019, the GDPR will have full force and effect in the UK. During this period, UK-based organizations don’t need to appoint a representative in the EU.
If my client is not a GDPR compliant business, do I, as a partner, have any legal issues when I work with them and upload contacts into Infusionsoft?
Answer: It depends. The answer to this question may vary depending upon the particular roles that you and your client play with regard to the personal data transferred and processed. There are different requirements and obligations depending upon whether you are a data processor or a data controller. In general, while the risk inherent in merely receiving European personal data from a client that is not GDPR-compliant may be minimal, the risk associated with transferring European personal data back to that client in any way (such as by replying to an email or sending information from Infusionsoft) may be quite high. Both processors and controllers have strict obligations to ensure that organizations to which they transfer personal data can meet the data protection standards of the GDPR. Consider seeking professional advice, before committing to any business relationship that might involve the transfer of personal data regulated by the GDPR.
During the webinar, you mentioned that some useful resources for GDPR compliance are available online. Where can we get links to such resources?
Answer: We’re planning to release a blog post to address this holistically. Check the Infusionsoft blog for updates.
Apart from all the high-level stuff, can we get some guidance regarding the "basics" of best practices e.g. checkboxes in forms: required or "nice to have"? double opt-in: required or "nice to have"
Answer: While the temptation to seek out easily digestible “Do’s and Don’t’s” is understandable, the GDPR is a highly complex piece of legislation, the application of which is highly dependent upon the facts of the particular personal data processing in question. For instance, while it is true that the GDPR makes clear that a pre-ticked box in a web form is no longer sufficient to constitute unambiguous consent, consent is not by any means a prerequisite to processing personal data under the GDPR. There are numerous lawful bases of processing available to you, each of which should be considered on its own merits and analyzed in the context of a particular set of facts.
Infusionsoft will provide additional guidance and self-help resources, including a blog post on the top 10 operational impacts of the GDPR, and a blog post introducing free GDPR tools that you can use in your own compliance initiative.
Does the GDPR require an additional checkbox to be able to lawfully process personal data? Or will a sentence such as "enter your information for us to email you XYZ Pdf" be sufficient?
Answer: See above. If you are processing personal data on the basis of the data subject’s consent, you will need to include a mechanism to collect that consent, which could include an unticked checkbox which the data subject can tick to consent to the processing of his or her data. If you can consider this type of arrangement as a “contract” between you and the individual who requested the “something,” then you may be able to skip the checkbox altogether, and base your processing on the need to perform your obligations under this “contract”.
Presumably, the right to be forgotten is the right to ask for your details to be removed from someone's database?
Answer: Exactly. Article 17 of the GDPR sets out the data subject’s right to have his or her data erased (also known as the “right to be forgotten”) when certain (broad) grounds apply, such as (without limitation) when the personal data are no longer necessary for the purposes of processing, where consent, as the sole basis of processing, has been withdrawn, or where the data subject has objected to the processing of his or her personal data and you have no “compelling legitimate grounds” to continue the processing. It’s important to note how broadly this right applies: in practice, there will be few circumstances where the GDPR will not require the deletion of data at the data subject’s request.
Currently, if I delete a contact, and the email address later returns to the system, it then re-attaches the entire email history of the contact—does this not cause a right to be forgotten issue?
Answer: Possibly. The right to be forgotten requires that personal data be deleted at a data subject’s request, including backups. If a data subject requests deletion of all his or her personal data, a GDPR-compliant controller is required to honor that request. As of this date in March 2018, Infusionsoft is working on solutions to ensure that if an individual asks “to be forgotten” that you can block that individual from being re-created or re-imported into your CRM.
Is an email with credit card information from an EU individual considered personal data that needs to be protected when residing on an email server?
Answer: Yes. The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” An email containing credit card info from an EU resident, then, likely contains several pieces of personal data: the individual’s first and last name, the credit card number, and the email address itself would all be considered personal data under the GDPR.
In terms of vendors, how does this apply to third-party integrations with Infusionsoft? If Infusionsoft is GDPR compliant but I use a third-party software (i.e. Zapier, Parsey, or anything else) that 3rd party technically has access to the contact record information.
Answer: Infusionsoft’s API is a powerful tool that you can use to connect with many other popular business applications. When you configure your Infusionsoft service to connect with those third-party apps, you should ensure that those vendors are also GDPR compliant and that your relationship with that vendor meets the requirements laid out in Article 28 of the GDPR. For example, the service agreement in place between your company and the third-party service provider should impose various obligations on that service provider, such as a requirement to use the personal data only upon your instructions, and to notify you of any data breaches.
Learn more about GDPR and how it may affect you as an Infusionsoft user. All posts on GDPR are meant to be informational only and should not be used as legal advice.
Subscribe to our newsletter
Fresh small business insights and ideas delivered weekly to your inbox, gratis.