Guide to GDPR Compliance and Implementation
GDPR is an assertive set of laws that should protect the personal information of users of the internet from unauthorized use, and also ensure that their privacy is protected against intrusive solicitation by businesses. The law is being looked upon with great appreciation by authorities all over the world and will redefine standards of compliance and rights. The Aritic team is working actively to prepare themselves for the upcoming enforcement of the law in May 2018, and we intend that our customers are able to do the same.
This comprehensive, detailed guide may come in handy for businesses to stay compliant and also for individuals who need to know their rights. Aritic offers several services related to the collection of and sharing of details as and when a campaign may require. This guide highlights all the relevant changes the law has brought about in the definitions and responsibilities of the parties involved with all the processes related to personal data. Yet this cannot be a substitute for legal or professional consultation, explaining how GDPR applies to your organization.
What is the GDPR?
General Data Protection Regulation, is an European data privacy law approved by the European Commission in 2016. It will be effective from May 2018. And will cover all kinds of data collection practices by individuals and businesses. The GDPR is also a binding act or a regulation as compared to the prior laws directive nature. It means that it must be followed entirely throughout all the member states of the EU. The GDPR strengthens, harmonizes, and standardizes EU data protection law in line with modern data collection practices. Aritic as a responsible processor, considers this law to be a significant measure taken by the EU to ensure the safety of individual data.
The law also enhances individual rights, ability to control and freedoms. In line with the European understanding, that privacy is a fundamental human right. The GDPR regulates how businesses and individuals obtain store process use and finally dispose of personal data. If successful in the EU it is expected to have a significant impact on business and commerce all over the world.
The number of users of the internet is increasing every day with more and more location on the planet being added in the coverage of the World Wide Web. And this means an ever-increasing quantity of personal data being exchanged. The GDPR may benefit both the businesses and the individuals, the responsibility of the significant part of the effort though, lies on the businesses.
Since the major victim of data, misuse is the customer, and it is the customer who faces the brunt of data misuse, the GDPR, has brought a surge of confidence in the customers of online platforms.
Personal data especially is a valuable resource, and hence is prone to misuse, and unauthorized usage.
Users have been demanding that this handling of their personal information is regulated in-line with the modern technology and to fulfill this demand, the regulatory authorities have been coming up with newer ways to protect the interests of the EU citizens.
One of the most significant and massive of these efforts is the introduction of the GDPR set of laws. It will cover all the major point of data exchange ensuring that the interests of EU citizens are safeguarded. And the individuals feel more confident and safe while doing online business with the organization in all member states.
If it is able to bring a desirable change in the EU in terms of data protection and customer confidence, it is expected that other countries may regulate their individual markets like the EU as well. There has been a need for the regulation related to data processing to update according to the changes in technology.
The archaic regulation currently being enforced in the EU hardly cover any of the modern channels of data exchange, and this lack of robustness exposes users to dangerous vulnerability.
From when will GDPR be effective?
The EU adopted the regulation in April 2016, and it will officially be enforced from May 25, 2018. There is no “grace period,” so it is recommended that organizations that may be impacted by the GDPR are prepared for it beforehand.
Who all does GDPR affect?
GDPR has a comprehensive scope. It will affect all the organizations which are established in the EU or run operation in the EU, and organizations that are involved in the processing of personal data of the citizens of EU.
This means that even if the organization is not operative in the EU, it can be persecuted under this regulation if it deals with the data of EU citizens.
What is meant by “personal data”?
Per the definitions standardized by the GDPR, personal data is anything that can identify an individual. Compared to the earlier definitions, the GDPR modernizes the understanding of identity and data in line with modern technology. Under the preview of GDPR, any data that in any identifies an individual is considered personal data. This should mean that other than names, addresses, and contact details, etc., which were earlier considered personal data, with the advent of GDPR, data collected by internet agencies such as behavioral data, location, IP addresses, biometric and financial details, etc., will all be protected. These categories are in line with the general information Aritic PinPoint users collect. And any information in any of these categories with fall in the preview of GDPR.
The even more sensitive information such as health information, ethnic and racial details, sexual preferences, and religious beliefs, etc. require a lot more care. And it is strictly advised that such information is not stored in your Aritic PinPoint Account.
What is the “Processing of Data”?
To add further value to the security measures based on the definition of data, GDPR proposes to ensure that the handling of the data is also regulated from all angles. The processing of data is a broad term which is incorporated in the law, with this very objective.
Processing is supposed to mean any kind of operation and set of operations automated and manual, done on that personal data. This definition of storage includes but is not limited to the collection, storage, changing, retrieval, revealing, sharing, transmitting, modifying, capturing, sending through electronic means, organizing, using for any kind of business or personal purposes, recording, managing, etc.
In simpler terms any organization, individual or group of individuals, irrespective of their intentions, who are dealing with personal data of citizens of the EU fall under the purview of GDPR and are advised to be careful with the processing of the data in line with the regulation.
Is the GDPR a regulation or a directive?
In the EU Regulations are binding legal standards that are applicable throughout every Member State. These come into force on set dates, simultaneously throughout the unions. Directives on the other hand only lay down a certain result that is advised or expected to be achieved. Directive s, however, are not binding and each Member State can individually choose how to transpose directives into their national laws. The GDPR retains several principles of the previous guideline related to personal data protection, and it also introduces many essential and promising, ambitious changes.
What has changed with the GDPR?
Mostly the definitions and by which the scope of the implications as well. This expanded scope should encourage more and more individuals and organization to become more careful with how they handle the personal data obtained from it EU. With the introduction of the concept of extraterritoriality, the GDPR, expects to involve organizations within and without the EU. Anyone who is dealing with the data of EU citizens falls in the preview of the GDPR. Following is a comprehensive list of the changes GDPR intends to bring.
1. The Expansion of the Scope of terms: As mentioned earlier the GDPR will apply to all organizations which are established in the EU. Further, by introducing the concept of extraterritoriality, GDPR broadens the scope of data protection laws of the EU well beyond its geographical borders. It ensures thus that any organization dealing with or processing the data of EU citizens, irrespective of their physical location in the world fall under the influence of GDPR.
2. The Expansion of the definitions of “personal data” and “sensitive data” also ensures that there are no loopholes within the law, as compared to the previous directive that did not include information relevant to modern technology platforms where such information is exchanged.
3. The Expansion of definitions and addition to the list of individual rights:
Not only does the GDPR maintain the rights of EU citizen as defined by the previous directive, but it also adds a few critical and relevant rights to that list.
GDPR gives EU citizens several critical new rights, including the incredibly relevant right to be forgotten, and others such as the right to object, and the right to rectification. Other than these the right of access, as well as the right of portability. GDPR requires, and robustly enforces the need to comply with these concepts. The law compels upon the organizations dealing with the personal data of EU citizens, the responsibility to ensure that these rights are protected in every interaction they make with concerned individuals.
- The Right of an individual to be forgotten: Under this term, any individual is empowered to demand that an organization delete all and completely remove all their personal data without excuses and undue delay.
- The Right of an individual to object: This term substantiates an individual’s objection against the use of certain data.
- The Right of an individual to rectification: And EU citizen can demand that incomplete, or outdated data is completed or that any errors in data are corrected.
- The Right of an individual to access: EU citizens are given the right to know exactly what data about them has been processed and how.
- The Right of individual portability: EU citizens can demand that the personal data which an organization holds is transported to another.
4. Much Stricter requirements for Consent: This is the fundamental aspect of the GDPR, and organizations are required to ensure that the consent of an individual has been obtained in ethical ways. The securing of approval must be in line with the GDPR’s robust new requirements. Organizations will be required to obtain consent, from their subscribers and leads or contacts before any part their data can be brought to use. The requirement is designed to ensure that there is no ambiguity in the intentions of the organization to the individual whose data is in question. In other words, the requirements for consent in the GDPR are much clearer than they were in the previous directive. A quick list of the specifications is as follows.
- The consent given by the individual must be specific for distinctive purposes.
- Ambiguity, silence, or pre-ticked boxes and inactivity to cancel on the part of the customer is not defined as consent. Further, individuals must explicitly and actively opt-in for the use, processing management, and storage of their personal data.
- Separate and specific permission needs to be obtained for individually specified processing activities. Which means organizations need to be specific about how the individual’s data is going to be used when the consent is being obtained.
5. Much clearer, and robust processing requirements: The GDPR gives further the right to individuals to receive “fair and transparent” details and information regarding how their personal data will be used, this includes:
- All the relevant details related to the data controller, including contact details, must be readily available to the individual.
- The intended purpose of the data must also be made clear, to the individual.
- The period of retention of the data: Data should not be kept for undue lengths of time. And must be deleted as soon as feasible.
- The Legal basis of the processing: Personal data must be processed with some legal purpose to substantiate the processing.
What does the GDPR have to say about data transfers done across borders?
The GDPR does talk about the data transfer done from an EU member country to a third-party country, just like the directive did. Further, like the directive, the GDPR does not outright prohibit such transfers, but across the borders, or demand that the data is stored only in EU nations, the GDPR only requires some basic conditions are met before this data can safely take place and data can be transferred outside of the EU.
The GDPR identifies certain legal grounds basis which cross-border data transfer becomes compliant.
For Aritic’s EU customers these requisites should not change anything as Aritic’s Privacy Shield certification is already in line with them.
To whom does the GDPR apply?
It is advisable that a legal profession is sought to gain an understanding or one’s compliance requirements. But to put it simply, GDPR should apply to anyone (organization or individual) dealing with the data of EU citizens. Even if the processing of the data is as minimal as the storage, say for example of email addresses, if these addresses belong to EU citizen then that individual will need to comply with the regulation of GDPR.
What are the consequences of non-compliance?
The GDPR is a not directive and hence as regulation cannot be opted out of. The idea behind the GDPR is to regulate the companies, who may so far have taken undue advantage of customers’ data and kept the customers in the dark. Failure to adhere to it can result in massive penalties, including a fine of up to 4% of an organization’s total global annual turnover subject to a minimum of 20 million Euros.
How does the GDPR affect the controller and the processor?
Controllers and processors of data, both have different obligations and accountability. GDPR has not really changed the definitions of the processor and controller for any practical purposes like it for other aspects of the directive but has redefined and standardized the accountability of both. The organization that actually collects the data and decides precisely why it is being collected is called the controller. And the organization that processes received data for the controller is called the processor. The GDPR has expanded the accountability and responsibilities of both.
Aritic and Aritic PinPoint’s application and other services, therefore, most will fall in the processor category. And naturally, in all such cases, the customer will be the controller.
Controllers are still responsible for the first stage of data protection. But since the advent of GDPR, the processors are also held accountable for some additional work. Aritic intends to be a responsible processor and shares all the essential instructions our controllers need to stay compliant.
How does Aritic and Aritic PinPoint comply with GDPR?
Aritic has been preparing for the day GDPR comes to power, for almost a year now. And we at the team appreciate the law as a robust tool that will bring important principals of ethical treatment of data, security, and privacy. Our understanding and preparation have left us more than ready to achieve compliance with GDPR latest by May 25, 2018, the day when GDPR is scheduled to be enforced.
We have understood and accommodated all the regulation, expanded individual rights of EU citizens, and our responsibilities as data controllers.
- Aritic and its products is also self-certified to EU-US, and Swiss-US privacy shield regimes.
- Aritic and its products impact on your efforts to achieve GDPR Compliance.
- Aritic can help you become compliant even if you have not started you GDPR compliance efforts as yet. It is, in fact, advisable that you start your efforts as soon as possible, and Aritic can certainly help in many ways for you to achieve your goal. Our platform now includes facilities so that you can respond to the individuals’ requests in line with their newly expanded rights. The ability to delete individual subscribers, by responding directly to requests received by them, Aritic PinPoint has added several new functionalities, since the proposal of GDPR.
Newer more expansive rights of the Individuals
Right of the individual to be forgotten: Contacts can directly get in touch with us to request the deletion of their data, or, you can enable GDPR preference center option to manage your subscriber preference. You must remember, however, that our segments work independently, and if data is removed from one segment, it does not ensure that it removed from the other segments as well.
The right of the individual to object: Aritic PinPoint allows you to opt out of a contact’s inclusion easily. Just change the settings in the contact preference. There is detailed information available on this process under the “Contact Preference” article.
The right of the individual of access: Your Aritic PinPoint account allows you to export the segments or specific details within a list anytime.
The number of users of the internet is increasing every day with more and more location on the planet being added in the coverage of the World Wide Web. And this means an ever-increasing quantity of personal data being exchanged. Stricter requirements for consent and processing, like the controller, the data that you collect must have been lawfully obtained before it comes to your Aritic PinPoint account. Recording of these consent is available during the import of your contacts and while getting contacts through API into Aritic PinPoint.
- On-site Pop-ups, bars and embedded forms can be used to collect personal data of your users and transferred to Aritic PinPoint easily and in compliance with the GDPR. The tools are easy to use, in line the GDPR requirements, and are readily available right now in the application itself. Since you design these forms, there are a few things we advise that you consider ensuring they meet the GDPR specifications.
- Forms should very carefully designed and written with the primary focus on the language. For the forms to meet the GDPR requirements, the language needs to be clear, easy to understand, direct, and specific with as many details as possible about the reason for the information you are asking for.
- The information once collected may be transferred to Aritic PinPoint, but as the controller of the information, you need to ensure that your customers have given their explicit consent for this usage. You can do this by ensuring that all the on-site pop-ups, bars and forms clearly offer this consent in a clear and easy to understand language.
- For contact sign-ups, choosing the double opt-in is advisable. It is not a default setting so, please check the same manually.
- According to the GDPR guidelines, the subscribers should be easily able to opt-out whenever they wish. So, you need to ensure that very campaign that is being sent out from the Aritic PinPoint platform includes this functionality. Other than unsubscribing the ability to change preferences must also be easily accessible. Aritic PinPoint offers options where these options can be added to the footer of the campaign you send out, through GDPR settings.
- The unsubscribe option, by default, is a part of all the campaigns that are sent out by Aritic PinPoint. Contacts can simply click on these links if they wish to opt-out from the contact database. Per the GDPR requirements recipients of any campaigns should be able to opt out whenever they wish easily, and this ability should be easily and efficiently accessible to them. The footer ensures that all the campaigns are GDPR compliant by default in this regard.
- Further, other than the unsubscribe link, there is also an option for you to add the preferences link in the footer of the emails that you send from your Aritic PinPoint account. Please note that this is not a default option and this needs to be selected while you are designing the campaign, through GDPR settings.
- It is further advisable that you update the information of your subscribers as frequently as possible in your Aritic PinPoint account. Especially if asked to do so by any of your subscribers, you must make the change as soon as possible. For this, you can edit the contact detail from their contact custom fields anytime.
- Aritic PinPoint captures the timestamp, IP address, and the email whenever a contact responds to any of the form emails you send. This functionality helps you maintain an account of proof of consent. The GDPR requires you to have accurate records of such consents before users can be contacted, or any of their data can be processed.
- It is important to know if you already have consent from a subscriber that you had obtained before the GDPR was enforced, then the consent should meet the criteria set down by the GDPR. If so, you do not need to ask for it again, and just need to maintain a record of these consents. It means that as long as the consent is in-line with the GDPR standards, it does not matter when it was obtained and will be sufficient for you to meet the compliance requirements.
- You need to carefully review all Aritic PinPoint integrations, add-ons, etc., in terms of language for them to be compliant with the GDPR requirements. These add-ons, plugins and integration need to sufficiently disclose the intended use of the data being collected and must have clear details about any plans of processing you have with the data.
- Aritic PinPoint must also be introduced to your subscribers before you can hand over their data to us for processing. It is advisable that the language of your organization’s privacy statement, for example, include Aritic as the data processor and your customers are aware of the possible actions we intend to take with their data. This should ensure that there is the required transparency in the interaction you have with your customers, that is the basis of GDPR compliance.
Aritic PinPoint has been working in-line with the GDPR requirements with a keen eye for detail. And our products are regularly updated to accommodate the terms laid down by the new law. Please feel free to get in touch with us in case you have any further question related to GDPR at email@example.com.