The EU General Data Protection Regulation (“GDPR”) is designed to empower European citizens (each, a “Data Subject”) to have control over their data, by promoting transparency; providing Data Subjects with rights; and regulating the way organizations process, store, and transfer data. GDPR goes into effect and becomes enforceable on May 25, 2018.
Any information related to a Data Subject that can be used to directly or indirectly identify the person is “Personal Data.” Personal Data can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
GDPR may apply to you if you either process or control Personal Data, regardless of your organization’s location. Data controllers and data processors have different responsibilities toward Data Subjects and Personal Data under the law. To help identify whether you are a data controller or data processor, here are the definitions of each:
- A “Data Controller” is responsible for the collection, processing and storage of Personal Data. As between you and iContact, iContact is the controller for its customers’ Personal Data. This may include your name, email address, phone number, and any other personal details that pertain to you, as a user of iContact’s service. As between you, and your subscribers, you are the controller for your subscribers’ Personal Data. This includes any names, emails, or other identifiers that your subscribers have permitted you to add to your distribution groups.
- A “Data Processor” performs a service on behalf of the Data Controller. As between iContact and you, iContact is the Data Processor because we act on your behalf, delivering communications to your subscribers.
Ultimately, you are responsible for ensuring that you follow GDPR guidelines. To the extent that you have subscribers that are EU citizens, you are the Data Controller regardless of where you reside or, collect, process or store Personal Data, and GDPR imposes certain responsibilities.
We have provided an overview of Data Subjects’ rights below, but you should seek the guidance of a knowledgeable attorney or advisor to better understand how these Data Subjects Rights affect your responsibilities.
The following is an overview of the principle rights afforded to Data Subjects under GDPR:
Effective date: May 25, 2018
- 1. The right to give consent: Data Subjects must provide explicit consent for you to use their Personal Data, and that consent only allows you to use their Personal Data for the specific purpose you indicated when you collected their Personal Data. You may be in violation of GDPR if consent has not been obtained for the specific purpose you are using the Personal Data for, or if you have not maintained records that provide evidence of the consent you obtained.
- 2. The right of access: Data Subjects can request a report on the Personal Data that has been collected on them and information as to how an organization uses that data.
- 3. The right to correct: Data Subject have the right to correct inaccurate, incomplete or outdated information.
- 4. The right to revoke consent: Data Subjects have the right to revoke consent and prohibit any future processing of their Personal Data by an organization, absent a compelling reason to allow continued use, such as maintaining the account information necessary for billing or to meet other compliance needs.
- 5. The right to data portability: Data Subjects have the right to request and receive a complete report of the Personal Data that you have collected on them. Such report must be provided in a structured and readable format, so it can be taken it to another service provider.
- 6. The right to be forgotten: Data Subjects have the right to request the complete deletion of Personal Data where it is appropriate. This is one of the more complex principles of GDPR in that there are quite a few dependencies. In a nutshell it will be necessary to remove all Personal Data and cease processing that data for any purpose outside of what is required by other local, state or federal requirements should the Data Subject request it. This process must also be demonstrable should an audit require evidence of deletion.
Fines may be assessed for non-compliance with GDPR:
- For non-compliance related to ineffective security and data breaches, a fine of up to 2% of global annual turnover or €10 million, (whichever is greater) can be levied.
- For non-compliance related to violations of the basic principles for processing data set forth above, Data Subjects’ rights, and transferring Personal Data to countries outside of the EU, a fine of up to 4% of global annual turnover or €20 million, (whichever is greater) can be levied.
To learn more, you may be interested in visiting the following: