Whether you’re completely, somewhat, or not at all prepared for requirements outlined in the GDPR, you should check out our last-minute preparation tips in this webinar. This article provides a summary of topics discussed during the webinar.
Here’s what you can do, depending on how prepared you are for the GDPR.
Completely prepared – Congratulations! To be sure, double-check your data collection processes and retention mechanisms for personal data on both internal and external platforms. Take time to ascertain archival of relevant data and ensure that plans are in place to incorporate privacy by design in your systems.
Somewhat prepared – If you’re still determining existence and processing of personal data, it’s time to complete mapping and and creating records for processing of this data. Additionally, determine steps to streamline future processing of customer data, adopt automation processes for retention, and be prepared to handle customer requests for their data. Choose a comprehensive solution or vendor capable of consolidating data from a variety of systems. This way you’ll ensure that no customer data is hidden, therefore avoiding unexpected leaks.
Not-at-all prepared – Start now, rather than risking up to 4% of your global revenue in fine for non-compliance. Create a list of events to manage your preparation process, conduct audits to create an accurate landscape of data that exists and needs to be stored. This is important as a lot of customers data may be scattered across teams and systems. Once you’ve mapped the data you have, consolidate this on to a single platform that can address content needs of your organization. This will considerably help with putting controls in place for data protection.
With the GDPR coming into effect, the European Data Protection Law is experiencing a paradigm shift. Some last-minute steps and tips associated are:
1. Assess existing levels of data protection
2. Check for records of all processing activities
3. Review all relevant documents, such as consents and data processing agreements
4. Improve technical and organizational technical measures
5. Designate a data protection officer if required
Categorized below under each subsection, is a compilation of most asked questions during the webinar on May 2, 2018. The document also covers pointers to steps taken by Freshworks towards making our products comply by the requirements of the GDPR.
Disclaimer: Please note that this document is provided for informational purposes only and should not be relied upon as legal advise or to determine how GDPR might apply to you and/or your organisation. We encourage you to obtain independent professional advice, before taking or refraining from any action on the basis of the information provided herein.
To be able to “process” existing customer data, if consent is chosen as grounds for processing, then consent must be unambiguous, verifiable, can be withdrawn at any time, and distinguishable (meaning every purpose that consent is sought for).
Apart from consent there are other grounds to lawfully process data. They include:
- Contractual necessity
- Legitimate interests
- Vital interests
- To continue sending cold emails or making cold phone calls to business contacts in the EU while being compliant with GDPR, businesses are permitted to send marketing emails where:
- there exists explicit consent
- existing customers are contacted regarding products or services they are subscribed to, on an opt-out basis
- To make cold phone calls, ensure the contact is not part of opt-out or do-not-disturb lists. And, generally, to record a phone conversation, consent is required. For additional information on having to obtain verbal consent on a phone call with EU resident, please obtain legal advice
- With regard to need of refreshing marketing consent with prospects/customers, there are pros and cons. Pre-GDPR consents can be relied upon if they were obtained to a GDPR standard
Now, if consent is obtained by clicking ‘agree’ on a pop-up/snippet on your website, these also need to be recorded. They are usually time stamped, and you might want to work with your IT/website development team to figure out a way to document consent. Finally, to script documentation for consent, it is advisable to obtain legal help from the right people/agency so you can decide what’s right for your business.
Freshdesk: Email addresses of those reporting an issue or placing a request in the helpdesk gets created as a ticket. It is known that the nature/functionality of a helpdesk software requires the email address to be recorded as a contact. Furthermore, Freshdesk provides a feature using which you can obtain consent from your customers. Learn more: Product FAQs (GDPR) – Freshdesk
Data Hosting and Transfers
The GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfer of personal data outside the EU. Data transfers from the EU to outside can be legitimized in many ways including:
- EU-US Privacy Shield
- Model or Contractual clauses
- Binding Corporate Rules (BCR)
Freshworks is self-certified under EU-US privacy shield and Swiss-US Privacy Shield. If your organization’s policy requires you to store data in the EU, you can choose from the available plans to move to our Frankfurt data center. Other data hosting locations available with us are – EU, EUC, AU & US.
Please refer to Freshworks blog on the subject: GDPR Compliance: Cross-border Data Transfer Cheatsheet.
GDPR requires businesses not to retain data for longer than required. These required periods are generally set by internal policies of the business. If other laws require retention of data (eg: purposes like tax, audit, criminal records, etc.) for a particular period, then businesses are required to comply by those laws. However, please reach out to your legal advisor to make the right decision.
Freshdesk: To learn about features available in Freshdesk and automatic retentions rules, please refer to Product FAQs (GDPR) – Freshdesk.
GDPR Territorial Reach
If an entity is in the EU, then GDPR requires that entity to protect all data (whether relating to EU residents or not). If the entity is not in the EU, then GDPR will apply:
- whenever that entity processes data for an EU-based customer, or for a non-EU customer with EU operations
- whenever that entity’s EU operations collects and uses data for their own purposes (e.g. local staff or customer relationship data)
- whenever that entity collects EU data through its website
- to any online targeted advertising or other direct marketing campaigns (email, phone etc.) that entity conducts in the EU
In the case of specific processing situations like scientific or historical research purposes or for religious associations, the GDPR specifies details in Chapter 9 of the regulation.
GDPR in UK & the BREXIT:
The EU General Data Protection Regulation (GDPR) will apply in the UK from May 25 2018. Please refer a joint update issued by the FCA and ICO on GDPR.
Having the privacy notice is a start , but you should also be able to demonstrate compliance. By this we mean keep records, comply with data subject rights, conduct DPIAs among others. Learn more here.
#2 Small Business owners seem to be under the same scrutiny as large businesses. What are the core things small business should get right?
Please refer to the website of Information Commissioner’s Office for right guidance and information.
#3 What are enforcement mechanisms/authorities? Who can file a claim if you are not in compliance and by what means?
The data subject can lodge a complaint with the supervisory authority. And, each EU member state has its own supervisory authority.
Some prominent supervisory authority websites are:
#4 How important is it for a startup to have GDPR implemented by 25/05?
GDPR applies to all organizations including startups. Learn more here.
#5 Can we insure against GDPR consequences?
There are Tech E&O (Errors & Omissions) that cover data breach claims, you can reach out to your brokers for further information.
#6 We’re a small company (4 employees) located in Canada. All client data is stored with a third party service. Who is responsible for data protection? How do I confirm compliance?
You may be the controller and the data center may be the processor. GDPR applies to both parties, and both have respective obligations under the GDPR.
#7 If we were to collect browsing data through the use of a web filter, but any individual is not identified by name in logs (i.e. Computer01), is this still considered personal data collection if CCTV cameras could be used in addition to identify that user?
Yes, this is personal data. If an individual is identifiable through correlation of data its is considered as personal data.
#8 As a SAAS provider, I don’t access any of the data my customers enter in my App – Do I still count as a data controller for my customers?
You will be considered controller if you determine the means and purposes of processing such data. If you process data on behalf of a controller, you will be a processor.
#9 I understand that by strictly complying to the GDPR, I would not be allowed to accept business cards at a trade fair without getting that person to somehow accept the privacy regulations of my organization. Is that true?
Note that in the context of receiving a card in a conference, it is generally understood that the reasonable expectation of the individual providing the card is that this data is used to make first contact. For further information, please get appropriate legal advice.
#10 Instead of deleting a constituent’s data upon request, is it permissible to keep the data but anonymize the record? (i.e. replace the name with ‘anonymous’ and remove other personally identifiable markers.
Anonymised data is not personal data.
Contracts and Agreements
Data Processing Addendum(DPA) with vendors need to incorporate requirements as stated on Article 28 of the GDPR. Ensure required agreements and documentation are in place before the enforcement date on May 25th 2018. On the need to proactively reach out to customers to notify them of a DPA to sign, or wait for them to ask — is a call that individual businesses need to take by obtaining appropriate legal advice.
Freshworks is revising our Terms of Service & Privacy notice for GDPR compliance. Hence, as part of this we will provide all our EU customers data processing clauses that will cover our obligations under the GDPR, before 25th of May 2018.
Vendors and Third-party Software
Who are subprocessors? Subprocessors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR. For example: If a business uses e-commerce engines like BigCommerce or Shopify that store customer information. Who is responsible for safekeeping of data, the business or the third-party e-commerce platform? — In this case it’s both the business and the third-party vendor as the GDPR applies to both and both have respective obligations to fulfil under the GDPR. Article 28 of the regulation covers this in detail.
Right to be Forgotten
The right to be forgotten or right to erasure of the GDPR entitles individuals to ask for their data to be erased and to prevent processing. If an individual or user of your system requests to “be forgotten”, it is up to the controller to respond to the subject access request. For subject access requests on their personal data, businesses should be able to provide information requested in a an intelligible manner. Note that, the GDPR requires that action must be taken on the individual’s request within 30 days. In the case of Freshdesk, where we are processors, we ask the individual to contact the controller(our customer) for these kind of requests. Freshdesk also provides for controllers to service such requests from the product itself.
As a data processor, businesses are obliged to assist customers and controllers with EU presence with appropriate measures for compliance. For example: new data management (search/export/delete) capabilities within the product to enable them to meet their ‘Controller obligations’. Some businesses are required to keep data such as invoices for regulatory requirements and the invoice contains customer name, address, phone, email and order details. As in such cases, if required for compliance with legal obligation, personal data may be retained. Please obtain legal advice on what legal obligations may apply to your business. ‘Right to be forgotten’ is not absolute, there are certain exemptions as mentioned in Article 17 of the GDPR.
Freshdesk: Freshdesk provides ‘right to be forgotten’ capabilities within the product. Please refer specific product documentation to know about ‘right to be forgotten’ capabilities in Freshworks products.
Data Protection Officer
The DPO is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR. A DPO needs to be appointed if you:
- process large amounts of personal data
- carry out large scale systematic monitoring of individuals or,
- are a public sector authority
Article 37, 38 & 39 of the GDPR clearly details qualifications and requirements of a data protection officer. For further clarification on what scale of data qualifies as large amounts of processing for your organization, please contact your legal advisor.
GDPR at Freshworks
At Freshworks we optimize business value from our products and services by adhering to recommended standards and policies. Hence, our cloud ecosystem is capable of providing you with a robust and scalable structure for safe processing of your, and your customer’s data.
With respect to your use of Freshworks products, Freshworks is the data processor. A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. For eg. Freshworks is a data processor and Freshworks’ customers are controllers of the EU resident’s data.
The GDPR applies to both data controllers and processors. Controllers collect data from the end-user that is the EU resident, for purposes clearly stated and with legal basis. Regarding controller-processor agreements with Freshworks, as mentioned above we will provide all our EU customers data processor clauses that will cover our obligations under the GDPR, before 25th of May 2018.
If you missed the webinar, you can still register to receive a recording. Ensure you have nothing to worry about when the regulation comes into effect on May 25, 2018.