You Need to Know This: An Overview to the New GDPR
by Ellis Friedman Fitch
In a time where data breaches are more common, business owners face the unique position of being concerned about their personal and business data as well as the data of their customers. Governments are taking notice, and the EU is introducing new measures to protect personal data.
The GDPR needs your immediate attention because it applies to businesses based in the UK and EEA states (the EU plus Norway, Iceland, and Liechtenstein) and businesses based anywhere who have customers or contacts in those countries. While there’s no getting around the fact that it will take a lot of time to get your business compliant, doing so will be a boon to your business in that you’ll both protect the data security of your contacts (helping you avoid potentially embarrassing and harmful data breaches) and avoid really hefty fines.
And if you feel overwhelmed, just know that we’re right there with you working hard to get compliant. Together, we can do it.
Here’s your overview to the GDPR and what Infusionsoft is doing to make sure our products will be compliant for you, your business, and your customers.
What is the GDPR?
GDPR stands for the General Data Protection Regulation of the European Union, and its goal is to protect the data privacy and security of all EU persons by setting a new data protection standard for businesses and governments.
I’m not based in the EU. Will the GDPR still apply to me?
It could. The GDPR applies to all companies worldwide that use or store the personal data of EU persons, regardless of whether the processing takes place in the EU, wherever the business itself may be located. The GDPR also applies to all businesses established in the EEA. Note that it applies to persons in EEA, they don’t have to be residents. So for example, a company targeting people going on vacation in Norway would be subject to the GDPR.
When will the GDPR go into effect?
The GDPR became effective in May 2016; the law will start being enforced on May 25, 2018, with no further grace period past that date.
What are the penalties for not complying with the GDPR?
The penalties are considerable. Organizations can be fined up to four percent of annual global turnover (revenues), or up to €20 million. There are tiers; for example, an organization that doesn’t have its records in order could be fined two percent of annual global turnover.
Will Infusionsoft comply with the GDPR?
Yes! Infusionsoft is dedicated to data protection and has been working diligently for months to ensure compliance. Infusionsoft is considered a data processor and will fall under the scope of the regulation, so we fully intend to comply with our GDPR obligations by May 25, 2018.
Since Infusionsoft will comply with the GDPR, does that mean my business will automatically comply with the GDPR?
No. Every organization regulated by the GDPR will need to evaluate its own obligations. Below are some of the obligations that businesses regulated by the GDPR must comply with.
What does the GDPR do, exactly?
Data security breaches are becoming more common and more devastating to individuals. The GDPR gives EU persons more rights and protections for their personal data. These include:
- The right to be informed: Companies must provide certain information, like a privacy notice, and emphasizes transparency over how companies use personal data.
- The right of access: Individuals will have the right to ask—and receive an answer—if an organization is processing their data. This information must be provided largely for free within one month of request.
- The right to rectification: If a person’s data is incorrect or incomplete, he or she has the right to have it corrected. If you have given third parties that person’s data, you must inform the third party of the correction, and tell the person which third parties have their personal data.
- The right to be forgotten: A person may request the removal of his or her personal data in specific circumstances, which are listed on this page.
- The right to restrict processing: Under certain circumstances, an individual can block the processing of his or her personal data.
- The right to data portability: A person can get their data for their own use anywhere they like.
- The right to object: A person can object to the use of their personal data for most purposes.
What is “personal data”?
According to Article 4 of the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Examples include but are not limited to a name, photo, email address, bank details, social media posts, medical information, or a computer IP address.
This already seems really complicated.
Yes, it is. And we’re right there with you working hard to comply. There will be more work for you to do to ensure the data security of your contacts, but it will also help protect their data, which is a great service to them and could help you avoid potentially embarrassing or harmful data breaches in the future. You can do this!
OK, so, the GDPR applies to data processors and controllers. What does that mean?
Data controllers are people or organizations that determine “the purposes and means of the processing of personal data.” Data processors are people or organizations that “process personal data on behalf of the controller.”
So, for example, if you collect any personal data of your customers in the EU, you are a controller. Infusionsoft, which stores that personal data of your customers, is the processor.
I’m a controller. What do I need to do?
You can see what Article 24 has to say about controllers, but before you jump into the confusing legal speak, here’s a synopsis: Controllers will need to take measures to make sure that the personal data they have is protected. This might include making sure someone is in charge of data protection, doing a data protection impact assessment and risk mitigation plan, and more (these suggestions are from the EU GDPR Knowledge base).
I’m a processor. What do I need to do? [Note: We don’t expect that many Infusionsoft customers are processors! Are you sure you aren’t a controller?]
You can read exactly what Article 28 has to say about processors. Here’s what it boils down to: Processors will have to meet the requirements of the regulation. This might include appointing a representative in the EU, maintaining records of processing activities, appointing a data protection officer, and regularly reviewing measures to ensure continual compliance.
These are the things Infusionsoft, as a processor, intends to do. To adequately maintain records of processing activities, Infusionsoft will ask our customers to notify us of their data protection officer or EU representative (this means that, if required, we will ask you to provide this information). We will also maintain a list of the high-level categories of processing operations we perform on our customers’ behalves.
Does the GDPR require that my email list be double opted-in?
Not necessarily. The GDPR is designed to be relevant for another twenty years or so; therefore it does not address specific technologies such as double opt-ins. However, double opt-ins are a good list hygiene practice, and using them may help you demonstrate that your list has consented to receiving your emails.
How will “they” know that I’ve complied?
You will have to demonstrate that you have complied, and the Information Commissioner of the United Kingdom lists a few ways to do that. These include maintaining documentation on processing activities, appointing a data protection officer, and creating and using data protection impact assessments. You can see the full list here.
Each EEA member state, including (for now) the UK, will individually enforce the GDPR, which leaves a lot of room for ambiguity. We will continue to update this post as any clarifying details are released.
Where can I get some help to figure this out?
All of the pages we’ve linked out to are great informational resources. You can also hire a data protection expert to help your organization ensure compliance.