By now, you’ve probably heard of the General Data Protection Regulation (GDPR), one of the most significant pieces of data protection legislation ever, that will become enforceable on May 25, 2018. The GDPR is an attempt to strengthen, harmonise and modernise data protection law and enhance individual rights and freedoms, consistent with the understanding of privacy as a fundamental human right. The GDPR applies to any organization that uses the personal data of people located in the EU.
Does the GDPR Apply to you?
If you have users of your product or service in the EU, the GDPR will apply to you. You should consult with a GDPR specialist regarding the full scope of your compliance obligations.
What happens if you do not comply?
With the GDPR comes massive financial penalties. Fines for non-compliance can be anywhere up to 20 Million Euros (25 Million Dollars) or 4% of global annual turnover, whichever is higher.
What have we been doing to prepare?
WhatConverts welcomes the GDPR as an important step forward to enhance data protection across the EU and the globe and as an opportunity for us to strengthen our commitment to data protection. As such we have undertaken the following:
- A Data Protection Officer has been appointed.
- We have analysed what personal data we process and confirmed our lawful basis for processing.
- We have completed a full analysis of our data security practices and procedures.
- We have updated our Data Protection Agreement.
- Procedures around data subject rights have been implemented.
- Our data breach response procedure has been improved.
- We have implemented increased data restriction controls, logging and monitoring.
- We are communicating with our customers about the GDPR and the updates to our relationship with them.
What does this mean for our Relationship?
When we provide software and services to an enterprise, we’re acting as a ‘data processor’ for the personal data you ask us to process and store as part of providing the services to you. As a data processor, we only process personal data on your company’s authority and instructions.
As the ‘data controller’, you will determine the personal data we process and store on your behalf.
We understand that compliance with the GDPR requires a partnership between WhatConverts and our customers in their use of our services and we look forward to working with you on this important new regulation.
What are your responsibilities as a data ‘Controller’?
You will typically act as the data controller for any personal data you collect in connection with your business. The data controller determines the purposes and means of processing personal data, when you choose which one of our services you use you are deciding the purpose (what to do) and means (who you get to do it, ie. WhatConverts).
Data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable) or going to https://www.eugdpr.org/.
You should also seek advice from a GDPR consultant relating to your status and obligations under the GDPR, as only a qualified specialist can provide advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.
Where should you start?
As a data ‘Controller’ the following are some tips on where to start your compliance journey:
- Assign a data protection business lead or appoint a Data Protection Officer, if required.
- Create an inventory of personal data that you handle.
- Establish a lawful purpose for processing this data.
- Review your current data protection controls, policies and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps. Again, it is recommended you consult with a professional.
- Make sure you have a data processing agreement in place with all your ‘Processors’ – the WhatConverts Data Processing Agreement is available here.
- Monitor updated regulatory guidance as it becomes available.
Again, do not take this as legal advice and we recommend you consult a specialist to obtain legal advice specifically applicable to your business circumstances.