The General Data Protection Regulation (GDPR) is a European Union (EU) law focused on data protection and privacy for all citizens and residents of the EU. GDPR regulates how companies - including ITEGY - can process personal data about individuals in the EU. GDPR went into effect on May 25, 2018. For a more detailed description of what GDPR is and how ITEGY is GDPR compliant, please review Our Privacy Center information.
We hope this document will provide you an overview of what GDPR is and what it might mean to you, but ITEGY is not in the business of providing legal advice and this is not a comprehensive guide of GDPR. Every business situation is different and GDPR as a law is very complex. For specific questions around your business operations and how they might be impacted by GDPR (and other applicable privacy laws), we highly recommend consulting a lawyer.
As much as we would love to be able to give you explicit advice on how you should be handling your compliance with GDPR, it's for all intents and purposes, impossible. Each business is run differently, with different policies, protocols, employees, locations, etc. So, we want to provide an overview of ITEGY's take on GDPR, but there are several nuances in the regulation, which we've highlighted for you in this document, where you'll need to make your own assessments depending on your particular situation.
GDPR is not all that different from other privacy laws around the world. The thing that makes GDPR incredibly high-profile is that it reaches beyond the EU to any business anywhere in the world that handles personal data about EU individuals, and it also carries significant penalties (up to 20 million EUR or 4% of global annual revenue) for non-compliance. So, more countries, bigger fines, broader scope, means more media coverage. That's not to say there are no differences - GDPR does require impacted companies to provide certain rights to their customers (such as a 'right to be forgotten' and a 'right to data portability') and to implement certain corporate compliance measures.
There are a couple of reasons your business could be impacted. If your business is located or if you conduct business with customers within the European Economic Area (EEA) when selling goods or services, please keep reading. If you don't conduct business in that region or otherwise target EU individuals, you're likely all set (again, please contact your own legal counsel to confirm).
No products or services are alone 'GDPR compliant'. However, when properly configured for your particular business needs, and used in combination with other measures, policies and processes you implement as necessary to your specific business (some of which are described below), they can be used in a GDPR-compliant manner. No one knows your business better than you. Though ITEGY hopes to offer the tools and resources to help your business attain GDPR compliance, and we are here for you, we are not suited to ensure your compliance with any laws applicable to your business.
GDPR is really focused on privacy of personal information. Long story short, it's about making sure your customers' personal data is protected and used in proper ways. Before diving into specifics, below are a few key definitions under the law that will help us to define respective responsibilities as it relates to handling personal data:
In our relationship, there are times when we are a Data Controller (when we collect data from you for the purpose of selling you our products and services - such as your name, address, email, telephone and credit card information), and times when we are a Data Processor and you are the Data Controller (such as when you use our hosted services for your own business purposes and information happens to be passed on to our servers so that we can provide, manage and maintain the services for you (more on all this below)).
Well, the official version of the GDPR is 261 pages long, contains 173 Recitals, 99 Articles and (as mentioned) is complex and often broad, vague and ambiguous (lucky us). We're going to cover just a few of its key principles:
Transparency
What data are you collecting and how will it be used? Explaining that to your customers in an easy to read and easily understood manner is an important principle of any privacy law, including GDPR.
Our guess is you've received about a million "we've updated our privacy policy" emails lately, right? It's no coincidence. GDPR requires that companies provide greater transparency and clarity as to how they collect and use their customers' information (in other words, make it more user-friendly). Privacy policies are the mechanism for you to offer transparency - explaining to your customers clearly and in simple language how you collect and use their personal data and how they can contact you or exercise rights they might be afforded.
ITEGY provides tools that allow you to incorporate privacy policies into your websites, and in some cases provides templates for you to work from. However, because we do not know how you operate your business, it's impossible for us to provide you with a fully-compliant privacy policy.
Customer Controls and Managing Consent
Being transparent is a great start, but if you are using (or collecting) information from your customers in addition to what is strictly needed to provide them the goods or services you sell, then you must also be sure they are given the options to consent to additional uses, and afford them with controls to later revoke that consent.
The most obvious example here is using email addresses or phone numbers collected to communicate with your customers (usually we think in terms of opt-in/opt-out to such communications/subscriptions). This information may be provided by your customers in the course of creating an account or purchasing a product or service from you. However, it also includes your collection of information about individuals who visit your websites via tools commonly known as "cookies" (and similar technologies such as pixels, scripts, etc). Certainly, you've seen "cookie banners" when visiting websites, and similar to the use of a privacy policy, these cookie banners allows for greater transparency. By displaying a cookie banner, individuals may learn more about what tools are being used to collect information about them, accept or decline such use, and/or otherwise granularly control which cookies might be acceptable for use.
Under GDPR, your customers must be given the right to consent to such collection (and subsequent use), and the only way consent may be properly given is if you presented the option to exercise such consent in an easy to understand, specific (to the particular use), and explicit manner. Pre-checked boxes, silence or inactivity cannot be used to indicate your customer's consent. For instance, if you have a checkbox on your website that says, "We will share your data with 3rd party advertisers," you cannot pre-select the checkbox to opt data subjects in to processing their data. The checkbox needs to remain un-checked for data subjects in the EEA until they voluntarily opt-in or express consent to such processing.
Ultimately, you need to ensure your customers can exercise control over use of their personal data, communications, and consent, including a right to revoke that consent.
Right to be Forgotten
We mentioned before that GDPR is very similar to other privacy laws around the world - this one is a right to your customers that is GDPR-unique. The GDPR provides individuals the 'right to be forgotten' (the "Right of Erasure" under the law). This means that the customer can ask that their personal data be deleted (and they be "forgotten"), where the personal data collected is no longer necessary for the purposes they were collected or otherwise processed.
Where the right exists, you must delete the data subject's personal data from your systems (unless there are legitimate business or legal reasons that such data must be kept, say for your financial reporting purposes or legal retention needs).
For instance, if a customer decides to stop doing business with you, they may no longer want you to keep information about them that was previously collected and stored by you. Though there are limitations to this right - with exceptions and complicated nuances - where applicable, you must consider how, and your ability to honor that request when made.
ITEGY, for its part, as we've described and in accordance with our Data Processing Addendum, will honor requests received from you (the Data Controller) to remove your customer's information from our systems when such a request is made.
Right to Data Portability
The right to data portability is another GDPR-unique right that allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Let's say you're an event planner. Your customer provided all their contact details and relevant personal preferences, but then they moved and decided to hire a new event planner. In the EEA, they should be able to get an electronic copy of their personal data to establish with a new event planner easily. ITEGY is here to assist with such requests to the extent your customer's personal data exists within and is capable of being exported to you from the products or services we provide.
Privacy by Design
Privacy by Design (or by default) essentially means that when you obtain, process, store or use personal data, the necessary protections are contemplated and included - no special considerations, no additional steps are needed, only the minimum necessary data is collected, received securely (e.g. encrypted), stored in a secure location, and only people with a valid need that have been properly trained have access to it. This includes making sure third parties also have protections in place before sending them your customer's personal data.
This is essentially the same as a patient visiting a doctor's office. As a patient, you would expect your health records, notes taken, and advice received to be kept safe and confidential. Extend that same type of vigilance to data subjects and you'll be in good shape.
Any examination of your business operations should include how ITEGY's products and services can be used with privacy in mind. While we hope our products and services can be configured to meet your specific needs, it is up to you to make an independent determination as to whether use of our services is adequate for your compliance with applicable data privacy and protection laws.
Data Breach Notifications
In the unfortunate event of a personal data breach, companies have a duty to notify its supervisory authority within 72 hours of becoming aware of the breach or without undue delay. For more details on how to disclose and what steps to take, please consult with your lawyer.
As mentioned previously, for the vast majority of time, ITEGY is your Data Processor. We will process data strictly as required to provide the services you have purchased from us on your behalf, or as otherwise instructed. Using our services in a manner that collects data so you can sell your wares, or to collect appointment information or sales leads? No problem. We will make sure the data is processed in a safe and secure way on your behalf.
As the Data Controller, you control how the data is used and stored, and we will only process it per the terms of our Data Processing Addendum in providing and maintaining the services on your behalf. This means you need to pay close attention to your internal policies and employee access of records, including how you share data with 3rd parties and how easily someone could access the data subject's information.
As you can see from the key points above, GDPR (and other privacy laws) are all about ensuring the data we collect and use to make our businesses successful, are properly secure and protected.