The General Data Protection Regulation (GDPR) is a regulation scheduled to be enacted on May 25, 2018. It is designed to protect the privacy and rights of EU citizens, no matter where they are in the world. These slides cover the basics of these regulations and how you can make sure you are EU compliant.
4. GDPR
General Data Protection Regulation
A set of regulations defined by the EU that protects the privacy and security of the
personal data of EU residents.
Currently in effect, the GDPR becomes enforceable on May 25th, 2018.
5. Personal Data
“Personal data is any information relating to an individual, whether it relates to his
or her private, professional or public life. It can be anything from a name, a photo,
an email address, bank details, your posts on social networking websites, your
medical information, or your computer's IP address.”
- Source: The European Commission’s initial press release
6. Austria Italy
Belgium Latvia
Bulgaria Lithuania
Croatia Luxembourg
Cyprus Malta
Czech Republic Netherlands
Denmark Poland
Estonia Portugal
Finland Romania
France Slovakia
Germany Slovenia
Greece Spain
Hungary Sweden
Ireland United Kingdom
Scope
The GDPR applies to any business that
collects and/or processes the personal
data of EU residents, regardless the
country in which the data is processed.
7. Processors and Controllers
‘controller’ means the natural or legal person,
public authority, agency or other body which,
alone or jointly with others, determines the
purposes and means of the processing of
personal data; where the purposes and means
of such processing are determined by Union or
Member State law, the controller or the specific
criteria for its nomination may be provided for by
Union or Member State law;
‘processor’ means a natural or legal person,
public authority, agency or other body which
processes personal data on behalf of the
controller;
8. Grounds for Lawful Processing
a) Consent
b) Contract
c) Legal obligation
d) Vital interests
e) Public interest
f) Legitimate interest
9. Consent
The user must explicitly approve the capture and use of each data element
gathered by the processor.
If the user is below the age of 16, consent must be given by a parent or legal
guardian.
Countries can opt to lower the age of consent, going as low as 13 years of age.
10. Legitimate Interest
The processing of personal data for direct marketing purposes may be regarded
as carried out for a legitimate interest.
Balance between processor’s interest and data subject’s interest
Relevant and appropriate relationship
Protection from fraud
“Reasonable expectations” of the data subject
Keep a record for why a data point is a legitimate interest (user field description)
11. Supervisory Authority
The Supervisory Authority (SA) is a national authority in each country within the
EU. They are independent public authorities tasked with monitoring the application
of the GDPR.
The SA must be notified about personal data breaches.
12. Notification of Breach
72 hours notification of data breach
Be sure to use GreenRope’s built in export controls
Be diligent about shared access user rights
14. Rights
● The right to be informed
● The right of access
● The right to rectification
● The right to erasure
● The right to restrict processing
● The right to data portability
● The right to object
● Rights related to automated decision-making and profiling
● The right to be notified
15. The Right to be Informed
The right to be aware of what data is used, how it is used, and to be able to read
the Privacy Policy and Terms of Use in a readable, non-legalese format.
16. The Right of Access
The right to see what data an organization or business has.
17. The Right to Rectification
This gives the user the right to update and correct data about themselves.
18. The Right to Erasure
This encompasses the right to be forgotten and deleted. The GDPR indicates that
any request by a citizen of the EU to delete all of their data must be responded to
and complied with.
(Note: balance with requirement to store unsubscriber information)
* no relation to 80s band
19. The Right to Restrict Processing
This gives the user the right to request an organization to stop including the
individual’s data in any and all processing. This is separate from an Erasure
request in that the data does not have to be deleted.
20. The Right to Data Portability
This is the individual’s right to request all of the data an organization has about
them, in a known and portable format.
21. The Right to Object
Individuals have the right to object to processing based on legitimate interests,
direct marketing and profiling, and processing for research and statistical
purposes.
22. Automated decision-making and profiling
Rights related to automated decision-making and profiling.
The data subject has the right to not be subject to a decision based solely on
automated processing, including profiling, which produces legal effects concerning
him or her or similarly significantly affects him or her.
23. The Right to be Notified
The data subject has the right to be notified if their data is breached or leaked.
In the case of a breach or other incident in which Personal Data is compromised,
companies must notify a Supervisory Authority, and, if known, the individuals with
compromised data, within 72 hours.
25. Next Steps
● Catalog your Data
● Log Data Access
● Identify 3rd Parties
● Clarify and Expand Privacy Policy
26. Catalog your Data
Identify which data needs to be exported or erased based on user requests, as
well as the type of processing that is performed on each data point.
Most data you store about your customers in GreenRope will be personal data.
27. Log Data Access
Keep track of personnel accessing and exporting data and where that data goes.
Access to account and data is logged in Dashboard > News Feed.
28. Identify 3rd Parties
If you export data for 3rd party consumption, each 3rd party and the data going to
them should be tracked. This includes any APIs or third party software (like
Zapier).
Erasure and Processing Restriction requests need to be propagated to these 3rd
parties.
29. Clarify and Expand Privacy Policy
Make sure your Privacy Policy details how data is used, and for what reason. It
should also be written in clear and easily-understood language.
31. GreenRope is GDPR-Ready
● We’ve updated our Privacy Policy - https://www.greenrope.com/privacy
● We have a statement about our implementation of GDPR -
https://www.greenrope.com/gdpr
● We have a data catalog for what we track regarding our customers
● We have identified our 3rd party data processors and have data privacy
agreements (DPAs) with them
32. GreenRope Helps You with GDPR Readiness
● For Access and Data Portability: In the Contacts Detail dialog, you can click
“Contact Detail Export” and get a copy-pastable machine-readable text dump
of all of a contact’s data.
● Most Rectification can be handled by each user using the native GreenRope
user interface; any that cannot should be forwarded to GreenRope Support.
● Restrict Processing requests can be handled by establishing a specific
group for these contact, moving the contact in there, and unsubscribing them.
● Erasure can be handled by simply deleting the contact.