What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation scheduled to be enacted on May 25, 2018. It is designed to protect the privacy and rights of EU citizens, no matter where they are in the world. If you do business in Europe, or have any contacts in your GreenRope CRM that are EU/EEA citizens, the GDPR applies to you. This means people who are citizens of the EU, UK, Norway, Iceland, and Liechtenstein must have the protections outlined in the GDPR whenever their personal data is stored or handled by any company in the world.
Note that this page is a high level description and is not intended as legal advice or counsel. For your own protection, we recommend you retain a legal expert who can review your company processes and advise you the best course of action to maintain compliance with GDPR.
Who is affected by GDPR?
There are two types of organizations that must prepare for GDPR, data controllers (likely you, a GreenRope customer and user of our platform) and data processors (us, GreenRope, because we are processing the data you put into the GreenRope CRM). Since our networks store your client data, we must provide the tools and resources to help you meet your obligations under GDPR as a data controller.
GDPR affects the storage, transfer, and use of personal data as it related to an identifiable individual person. These individuals are also referred to as data subjects in the context of the GDPR.
How does GreenRope protect privacy?
Additionally, GreenRope undergoes regular audits and security testing to ensure our networks are secure. All connections you make to our networks are secured by SSL, using the latest encryption algorithms to ensure maximum protection for your data, both at rest and in transit.
What does GDPR mean for the rights of data subjects?
Your data subjects are the contacts in your CRM, and if they are EU citizens, they have certain rights related to the processing of their personal information given to them by GDPR. By “processing”, the regulation means collecting, storing, and using that personal information. These rights can be summarized in a few key points:
- The right of access. If you are processing personal information, data subjects can ask you if and how you use their personal data. You have one month to respond, without charging the person for the information, to provide a description. GreenRope also provides a helpful contact data export feature to make it easy for you to send a summary of all data we have collected about that contact.
- The right of rectification. If a data subject sees something incorrect, they have the right to correct the data you have stored in your CRM. With GreenRope, this is easy, as you can modify any personal data you have on file. If you have shared this information with anyone else, you have to inform those third parties of the changes in that data.
- The right to be forgotten. A data subject can request that their personal information be removed from your data storage. There are some limitations, such as keeping record of unsubscribed contacts, and matters of legal and national security, which may override the contact’s right to be forgotten. If you are not sure, consult a legal expert.
- The right to restrict processing. A data subject can request that you limit the processing of their data. In practical terms, this generally means you can store the data, but you can’t actively engage with the person. Using GreenRope, we would suggest marking the contact as an unsubscriber and moving that person to a “Do Not Contact” group.
- The right to data portability. A person can request data you store about them and use it elsewhere.
- The right to reject automated decisions. A data subject can request that algorithms are not used to classify how they are treated. The most common example given for this is automated ways to determine if someone can get a loan (for example, by combining income and credit score). If an individual requests that the algorithm not be used as part of the decision-making process, you must abide by that request.
What is data minimization?
GDPR encourages companies to practice data minimization, which means only collecting the minimum amount of personal information about any individual to allow you as a company to do your job to serve the customer. This is a subjective assessment of the data you collect, so that companies don’t just try to collect as much information as they can about someone for the sake of just keeping that data.
What is data integrity and confidentiality?
GDPR requires all data controllers and processors to take all reasonable steps to protect any and all personal information. This means protecting data backups with encryption, always using encrypted connections when transferring data, and limiting access to data to only those who need it.
What is the minimum age for giving consent to process data?
GDPR sets a minimum of 16 years of age before an individual can provide content that a company can process that individual’s personal information. Some countries in the EU have lowered the age to 13, so be sure if you are asking younger people to provide information that you confirm their parents are providing the consent to do so.
What lawfully gives you the right to process data?
What happens if you don’t comply with GDPR?
Enforcement of GDPR is managed by the member nations, as they protect the rights of their citizens. The intent of the regulation is to have a dialogue with companies who are not complying, get them into compliance, and resolve issues quickly. The regulation does, however, include a fine for non-compliance of 20 million Euros or 4% of your company’s annual global revenue (whichever is greater).
What kind of data breach notification is required?
If there is a data breach, GDPR requires the company responsible for the breach to inform data protection authorities in the countries where affected citizens had their data leaked. This must be done as soon as possible, but no later than 72 hours after discovery of the breach. There may be a requirement to inform the individual data subjects, as well.
What should companies do to prepare for GDPR?
There are some steps that you and your team will want to do as part of preparing for GDPR and ensure you are in compliance.
- Review your existing methods of collecting, transferring, and storing data about the contacts in your database. Address any weak points, looking for ways that data could be leaked, stolen, or lost. Note that this should include any import/export you do of any data from different software platforms, as well as any APIs you currently use for transferring data to different services.
- If you don’t already have one, create a plan for what happens if there is a security or data breach.
- Establish internal procedures if a data subject requests information about the personal information you have collected about them.
- Institute a program for your entire team (employees, management, and C-level executives) so they understand what data you are collecting, why, and how you protect it.
How can GreenRope help?
If you have any questions about GDPR and how we can help you meet the requirements of the regulation, please feel free to reach out to us any time. While we cannot provide official legal counsel, we can point you in the right direction and get you prepared to meet the requirements of the regulation.