Disclaimer: This article is provided for your convenience and does not constitute legal advice.
May 25 is fast approaching which means the new European data protection regulation will go into effect very soon. The EU General Data Protection Regulation also know as GDPR is a huge update that "was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy." Let's talk about what this update means for you as our customer as well as for us, who will be affected and what needs to be done to be compliant.
While the new regulation may seem intimidating, it's actually intended to make compliance with European laws easier. Prior to the GDPR, each country within the EU had different data protection laws, making it difficult for companies to comply across Europe. With the GDPR being a unified set of rules, companies can comply at the European level rather than on a country-by-country basis.
If you know all the theory already, scroll down to read what we have been doing to prepare for the GDPR.
Who does the GDPR apply to?
The GDPR applies to all organizations, located within the EU and outside of it, processing and holding the personal data of data subjects residing in the European Union. It means that regardless of the location, all companies processing personal data of EU citizens are affected by the GDPR.
What is personal data?
“Personal data” is information that can be used directly or indirectly to identify a person, such as email address, name, IP address. Personal data is the main focus of the GDPR, the way it's collected, the way it's stored and processed.
“Controller” vs “Processor”
“Controller” and “processor” are two very important terms used throughout the GDPR. A controller is a person or organization that collects personal data and determines the purposes and means of its processing. A processor is an entity that processes personal data under the controller's instructions. When you are using GetSiteControl widgets on your website to collect personal data of your website visitors (email subscriptions, contact form submissions, survey responses, etc.), you are the controller and GetSiteControl is the processor. You collect personal data and determine how it should be used while we store and process this data for you following your instructions.
Both controllers and processors have their own responsibilities under the GDPR. Both controllers and processors should ensure the security of the personal data that they process and respect the rights of data subjects.
Rights of data subjects
The GDPR states that data subjects (people you collect personal data from) should be provided with the information concerning the purposes for which their personal data will be processed. They also have the rights of access, rectification, erasure, data portability, the right to restrict or object processing. In practice, it means that a person can contact you and instruct you to delete their personal data or stop processing it.
IMPORTANT: GetSiteControl is ready to accommodate any such requests from data subjects.
Data Processing Agreement (DPA)
Under the GDPR, whenever a controller uses a processor it needs to have a written contract in place. You can now sign such an agreement with GetSiteControl! You can access your copy of the DPA by going to the Profile section in your account.
Data subjects' consent is another important area the GDPR focuses on. The basic principle is the same as before - a person needs to give their consent for the processing of their data (unless there is another lawful basis). However, the GDPR clarifies how consent should be collected:
- data subjects should be provided with a clear explanation of the processing to which they are consenting;
- the consent mechanism should be genuinely of a voluntary and "opt-in" nature;
- organizations are not allowed to rely on silence or inactivity to collect consent (e.g., pre‑ticked boxes do not constitute valid consent) - silence is not consent;
- the nature of the processing should be explained in an intelligible and easily accessible form, using clear and plain language;
- the data subject should be aware of the identity of the controller and the purposes for which the personal data will be processed;
- consent can be provided by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes.
Simply put, the controller should make sure data subjects understand how their data is going to be used and give explicit consent to such use.
It's important to understand that collecting consent is the responsibility of the controller (that's you). Please note that we won't be able to provide legal advice in each specific case, so if you have any doubts, please talk to a lawyer. However, we are investigating this question as thoroughly as possible and will make sure to provide recommendations on how to better collect consent using GetSiteControl forms.
What we have been doing to prepare
We have been hard at work getting ready for the GDPR. Here is what we have done so far:
- we have reviewed the list of our sub-processors to make sure all of them are GDPR compliant;
- we have introduced Data Processing Agreements (written contracts between controllers and processors). If you want to sign the agreement, open the 'Profile' section of your GetSiteControl account;
- we have made sure that we will be able to assist you, the controller, in complying with the rights of data subjects;
- we have made sure that we have the ability to destroy personal data at the end of the relationship.
If you have any questions, please let us know. We will do our best to answer them to the best of our ability. However, please understand that we won't be able to provide legal advice, so if you have legal questions, do speak to a lawyer.
This article doesn't include everything you need to know about the GDPR, of course, so if you would like to educate yourself further on the matter, check the below resources.