The European Union’s General Data Protection Regulation (GDPR), approved almost two years ago, begins enforcement on May 25th. The GDPR is designed to protect the data rights of EU residents and non-compliance comes with significant fines and penalties. This is serious business for everybody that works with customers around the globe. All WhatCounts customers need to review the regulation at https://www.eugdpr.org and become GDPR compliant if collecting EU member information.
Under GDPR, WhatCounts customers are considered “Controllers”, which broadly means they determine the purposes and means of processing of personal data. WhatCounts is considered a “Processor” under GDPR, which broadly means, we perform operations upon personal data collected by a Controller.
As a Processor under GDPR:
We have to continue to make sure your customers’ personally identifiable information (“PII”) is safe, secure, and reportable. We will maintain an audit trail for our customers of how we’ve processed the data entrusted to us.
- We can’t engage another company to process our customer’s PII, unless we get their permission first.
- We take your personal data seriously and can only process it within the terms of our Agreement and under obligations of confidentiality.
Please note that this is not an exhaustive list nor is this list meant to substantiate or modify any arrangements currently in place with customers.
Below we have listed a few considerations for our customers. The following is not legal advice nor should it be taken as an exhaustive list of recommendations to ensure compliance, but it will hopefully help in the discovery process. The GDPR is concerned with the secure storage of personal data and the right to have that data updated, removed, or provided upon request. Complying with GDPR guidelines may significantly change procedures for collecting, storing, and eliminating data:
- Automatic opt-in is not allowed and the process of opting in requires an action by the individual.
- Proof of consent to use an email address or other personal data must be documented and stored. Records of the agreement will need to be reproduced when called upon.
- The ability to withdraw consent of the use of an email address needs to be easily accessible. No hunting for an unsubscribe button; it should be in plain view.
- Individuals also have the right to ask for the permanent deletion of any personal data. The GDPR explains this as the "right to be forgotten." When requested, personal data must be scrubbed from the system with no remaining trace of the information.
- Should a breach in security occur, it must be reported to the data protection officer or a supervisory authority within 72 hours of its discovery. The nature of the breach, the number of those who are potentially harmed, and the "likely consequences," will need to be provided.