A short guidance for compliance with the General Data Protection Regulation, otherwise known as the GDPR, by May 25, 2018. What is GDPR and Why is it Important? Learn more in our blog post.
What is GDPR and Why is it Important?
The GDPR is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. Personal data plays a big part in society and the economy. It is essential that people have – and know they have – control and clarity over how their data is used and protected by any organization they interact with, and that organizations are given clear guidelines to protect their personal data.
The GDPR provides important new and strengthened protections for those residing in the EEA and whose data may be collected, moved, stored and processed from and to anywhere in the world.
One of the aims of the GDPR is to harmonize and bring data privacy laws across Europe up to speed with the rapid technological change in the past two decades. It builds upon the current legal framework in the European Union, including the EU Data Protection Directive in existence since 1995.
In order to ensure that the protection of personal data remains a fundamental right for EU citizens, the aim of the GDPR is to modernise outdated privacy laws. The GDPR has the potential to impact any business that collects data in or from Europe.
Key Principles of GDPR
- Collected personal data needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
- Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
- Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.
- EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
- All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.
Who Does it Affect?
The scope of the GDPR is very broad. The GDPR will affect all organizations established in the EU, and all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
When Does it Come into Effect?
The GDPR was adopted in April 2016, but will officially be enforceable beginning May 25, 2018. There will not be a “grace period,” so it is important that organizations impacted by the GDPR get ready for it now.
GDPR: Key Changes
The GDPR brings with it a shift in mindset. It expressly introduces several principles that previously underpinned data protection law, such as the “accountability principle” and “privacy by design,” and encourages organizations to take more responsibility for protecting the personal data they handle.
- Privacy by design: This means that organizations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed. If you process a lot of data or deal with sensitive information, in many cases you’ll also need to conduct data protection impact assessments to meet the privacy by design principle.
- User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.
- Tougher breach notification rules: Under the GDPR, organizations are required to have a strong breach notification system in place and understand their specific reporting obligations.
- Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate that compliance in line with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.
- Data protection officer: The GDPR requires companies that engage in processing of EU user data to determine if they should appoint a Data Protection Officer. Companies that routinely process large volumes of information or particularly sensitive information should consider appointing a DPO.
How is the GDPR Different from the Directive? How are Obligations Changing?
While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Here are a few that we believe are particularly relevant to HelloTeam and our customers:
- Expansion of scope: As mentioned above, the GDPR applies to all organizations established in the EU or processing data of EU citizens, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.
- Expansion of definitions of personal and sensitive data, as described above.
- Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens.
- Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
- Right to object: An individual may prohibit certain data uses.
- Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Right of access: Individuals have the right to know what data about them is being processed and how.
- Right of portability: Individuals may request that personal data held by one organization be transported to another.
- Stricter consent requirements: Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis, such as those found in number 5 below. The surest route to compliance is obtaining explicit consent. Keep in mind that:
- Consent must be specific to distinct purposes
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
- Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller, which we will explain in more detail below.
- Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation.”)
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”
Does the GDPR Say Anything About Cross-border Data Transfers?
Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers.
One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy decision.
Does it Matter Whether You are a Controller or a Processor?
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing. A processor is the organization that processes the data on behalf of the controller.
The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party.
Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.
What is HelloTeam Doing to Comply with the GDPR?
HelloTeam is excited about the GDPR and the strong data privacy and security principles that it emphasizes, many of which HelloTeam instituted long before the GDPR was enacted. At HelloTeam, we believe that the GDPR is an important milestone in the data privacy landscape, and we are committed to achieving compliance with the GDPR on or before May 25, 2018.
HelloTeam’s GDPR preparation started more than a year ago, and as part of this process we are reviewing (and updating, where necessary) all of the internal processes, procedures, data systems, and documentation to ensure that we are ready when the GDPR goes into effect. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users. We are, among other things:
- Analyzing all of our current features and templates to determine whether any improvements or additions can be made to make them more efficient for those users subject to the GDPR
- Evaluating potential new GDPR-friendly features and templates to add to our application.
In addition, we will be prepared to address any requests made by our customers related to their expanded individual rights under the GDPR:
- Right to be forgotten – Every employee can ask his/her organization to delete all the account data stored for him/her. Per request by each organization in the role of a processor of data, HelloTeam will permanently delete all the data associated with his/her account.
- Right to object – Per request, we can exclude certain users from any analytics or reporting data HelloTeam is generating
- Right to rectification – As a service provider, HelloTeam allows client organizations to fully manage their employees’ data. Some essential data may not be changed by regular users, but we provide an easy option for each employee to contact their own organization administrators and request to change/delete any personal information, which they can’t change/delete by themselves in their profile settings. Users can always contact our support team to help with account management in a timely manner.
- Right of portability – We will export your account data to a third party at any time upon your request.
What Should You Do if You are Administering Data for an Organization on HelloTeam?
You must lawfully obtain and process personal data from your subscribers and contacts. The personal data of your employees may be collected and transferred to HelloTeam via our user- friendly, clean and descriptive import/sync wizards. Automated import/sync processes help optimizing time for data transfers to HelloTeam, but it is YOUR responsibility to ensure that you obtain consent from your employees and contractors to send their information to HelloTeam for processing.
If an employee requires to be forgotten or asks for a change/deletion of his/her data, stored on HelloTeam, which you do not have access to, it is YOUR responsibility to forward this information without delay. This will allow us to react appropriately and in a timely manner and fulfill employee’s request without delays. For this purpose you can use the contact support forms in the HelloTeam system or write directly to “firstname.lastname@example.org”.
You should ensure that you are keeping accurate records for all employees and contractors. HelloTeam system is not responsible for any inconsistent or incorrect data stored in each organization’s database, managed by each organization administrators themselves.
Keep in mind that any consent you obtain from your subscribers and contacts must comply with the GDPR requirements, irrespective of when that consent was obtained. However, Recital 171 of the GDPR indicates that you may continue to rely on any existing consent which meets the GDPR standards for consent. This means that it is not necessary to re-request consent from your subscribers or contacts when the GDPR goes into effect so long as you met all of the requirements of the GDPR when you initially obtained consent. We recommend consulting with local counsel to determine if consent obtained prior to the GDPR complies with its requirements, or whether you should instead contact your subscribers and contacts to re-request consent in accordance with the GDPR requirements, or rely on a different lawful basis for your processing under the GDPR.
You should review the privacy statement and practices applicable to your organization and ensure that they provide proper notice that the personal data of your subscribers or contacts will be transferred to HelloTeam and processed by HelloTeam. For example, you may want to consider updating your privacy statement to include language that specifically identifies HelloTeam as one of your processors and delineates the applicable processing activities performed by HelloTeam, such as the collection and storage of personal data and the transfer of personal data to certain HelloTeam’s sub-processors.
Read our GDPR Data Processing Addendum, Last update: May 23, 2018