The following article is designed to provide an overview of GDPR;
- Introduction to the GDPR
- Guidance on compliance requirements
- Overview or what ROLLER is doing
- Additional materials for you to refer to
1. Intro to GDPR
The General Data Protection Regulation (GDPR) is a new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
What does the GDPR regulate?
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
How does GDPR change privacy law?
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
When does the GDPR take effect?
The GDPR takes effect on May 25, 2018.
Does the GDPR require European personal data to be stored in Europe?
No. The GDPR requires that if the personal data of European residents is exported outside of Europe, then that personal data must be adequately protected. Companies are already required to take these steps under existing law.
2. Guidance on meeting compliance requirements
How does it affect my organization?
The General Data Protection Regulation (GDPR) increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the center of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
How should my organization prepare for the regulations?
Since every business is different and the GDPR takes a risk-based approach to data protection, companies should work to assess their own data collection and storage practices (including the ways they use Roller software), and seek their own legal advice to ensure that their business practices comply with the GDPR. In determining your next steps, here are twelve guidance points provided by regulators within Europe;
-
Awareness;
You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
-
Information you hold;
You should document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit.
-
Communicating privacy information;
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
-
Individuals’ rights;
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
-
Subject access requests;
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
-
Lawful basis for processing personal data;
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
-
Consent;
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
-
Children;
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
-
Data breaches;
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
-
Data Protection by Design and Data;
You should familiarize yourself now with the ICO’s code of practice on Privacy Impact Assessments and work out how and when to implement them in your organisation.
-
Data Protection Officers;
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International;
If your organisation works in more than one EU member state (ie you carry out cross border-processing), you should determine your lead data protection supervisory authority.
3. What ROLLER is Doing?
ROLLER welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for ROLLER to deepen our commitment to data protection. Similar to existing legal requirements, compliance with the GDPR requires a partnership between ROLLER and our customers in their use of our services. ROLLER will comply with the GDPR in the delivery of our service to our customers. We are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR and are working to make enhancements to our products, contracts, and documentation to help support Roller’s and our customers’ compliance with the GDPR.
Though we are continuing to work through a number of enhancements, ROLLER has appointed a Data Protection Officer and appointed a local representative in the UK to oversee the implementation of these enhancements. We have also implemented technical and organizational measures to;
- Account for security risks and to assist our clients in responding to requests of individuals
- Ensure personal data is kept confidential, including requiring our personnel to maintain similar confidentiality obligations
- Notify our clients of a data breach incident as soon as possible and provide support
- Ensure that we only process personal data to the extent authorized by our clients
- Ensure that GDPR-approved safeguards are in place before transferring personal data across borders
- Assist our clients in responding to an individual’s exercise of their privacy rights
- Cooperate with requests of EU member state regulators
- Train employees on GDPR and create company policies on compliance and non-compliance
- Update company policies (e.g., online privacy policy and written information security policy)
Although ROLLER can't help companies be fully compliant, there are many GDPR-friendly features already available are part of the ROLLER software.
Stage 1: Data Collection — Forms and Double Opt-in
Under GDPR, a contact needs to be informed that their data will be stored and used by a company when they're submitting it. Consent will need to be “freely given, specific, informed, and unambiguous,” with companies using “clear and plain” legal language that is “clearly distinguishable from other matters.”
Since ROLLER helps you create your own forms and add whatever text you wish, you already have the tools you need to inform your prospects on how you plan to use, store, and process their data and of their right to withdraw consent, all of which will help you meet your GDPR consent obligations.
How to enable database opt-in:
Here’s how to enable an “Accepting Marketing” opt-in on your ROLLER platform.
- Head to the Settings menu > select Account Details
- Click Edit settings
- Check the checkbox for Capture "Accepts Marketing". This allows you to put in an opt-in marketing checkbox in your online checkout and as part of the waiver process
- Click the Save Changes button to publish your changes
Please note, if you are using Forms as a standalone process, you will need to create a checkbox similar to the Accepting Marketing message in the check out flow.
How to set up double opt-in:
Double opt-in is a procedure that allows visitors who fill out a form to confirm they want to receive communications from you. The GDPR is silent on whether this form of consent is required, and unless guidance to the contrary is issued by the EU or our supervisory authority, our view is that this is not mandatory under the GDPR.
That said, many businesses will prefer to use ‘double opt-in’ as an additional protective measure, obtaining consent from a specific individual. Like most Email Database programs do, ROLLER provides double opt-in as part of our ROLLER Mail module.
Once enabled, the double opt-in feature sends an opt-in request email to all contacts who join your mailing list for the first time. To activate this on your ROLLER Mail account, please follow these steps for each list:
- Go to Lists & Subscribers
- Click Create a New List
- Give the list a name and from the List Type, select Confirmed opt-in (confirmation required)
- When you have set this up, click Create List.
To edit an existing list to have Confirmed opt-in, please follow these steps (but please note this will only trigger for new emails added to the list not pre-existing emails):
- On the Lists and Subscribers, click on the List you want to update
- Click on Change name/type under your List Name
- Update the List Type and click Save Changes
Stage 2: Data Storage and Processing
Exporting Contacts, and Modifying and Updating Data
Individuals always had the right to request access to their data. But the GDPR enhances these rights. The timescale for processing an access request will also drop significantly from the current 40 day period.
ROLLER is working on functionality to ensure the service is fully GDPR compliant by the May 2018 deadline. That said, ROLLER software already lets you export data from a person’s contact record from your ROLLER portal in a user-friendly format. It’s as simple as searching for the person’s contact record and then taking the desired action. The whole process takes seconds.
This will assist customers in complying with a contact’s request for a copy of their data, either to move to another provider or to check what personal data you hold about them in your ROLLER account.
How to access a Customer Record:
- Go to Customers
- Search via Name or email and select a contact
- This will show you all the contact information for that customer, you can copy this information to send to the customer
How to modify/update data:
Under the current legislation, individuals already have the right to ask you to modify or update data you hold on them in your systems (for example if they change email address). This will not change under the GDPR, but as we know, the penalties for breach under the GDPR are more severe.
Follow this step-by-step process to learn how to edit the information on any Customer Record:
- Go to Customers
- Search for the contact you want to edit, and click the name to open their contact record
- Make sure you are on the Customer Details tab and click on the field you would like to change to edit it
- Once all edits are made > click Save
Stage 3: End of Relationship — Unsubscribe and Email Preferences
When you send emails to prospects and customers using ROLLER Mail, they include an unsubscribe button, which allows customers to easily let you know that they want to withdraw consent to receiving marketing emails from you. This feature also helps companies comply with the EU E-Privacy legislation governing direct marketing.
Additionally, our email preferences functionality allows customers and prospects to choose which categories of email they want to receive.
How to set up unsubscribe preferences:
All lists automatically default to unsubscribe a customer from the entire database, if you would like to change this setting for certain lists, please follow the steps below:
- In Lists & Subscribers, click on the list you want to update
- Click Unsubscribe settings > check the option Only remove them from this list
- Click Save Unsubscribe settings
- Please note on this page, there is also the option to put an unsubscribe form on your website
As you can see, there are many GDPR-friendly features you can use on your path to being compliant. This new legal outlook is also a great opportunity to revise how you may be approaching end customers and what you can do to treat these relationships with the highest care.
4. Additional materials for you to refer to:
The following regulators within the European Union have provided specific guidance on the GDPR:
- ICO - Guide to data protection
- Data Protection Commissioner - GDPR
- CNIL - Règlement européen: se préparer en 6 étapes
DISCLAIMER:
This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.