The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It is a wide-sweeping data protection law that will set a new standard for global privacy rights and compliance. The scope of GDPR is very wide and will likely apply to you if you hold or process the data of an any person in the EU, whether you’re based in the EU or not.
This guide is to give you details on how Admailr is preparing for GDPR and provide you with an overview of the new requirements to help you prepare for GDPR.
Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organisation.
What is Admailr doing to prepare for GDPR?
At Admailr, we welcome the data privacy and security principles that GDPR emphasizes, and we’re committed to achieving compliance with the GDPR by 25 May 2018. Our preparation efforts are ongoing, but we’ve already made a lot of progress. These preparations include:
We’re updating our Data Processing Agreements (DPAs)
We’re reviewing and updating our internal data processes, procedures, data systems and documentation
We’re continuing to invest in our security infrastructure, to achieve International Compliance standards (SOC2, Privacy Shield)
We’re reviewing all of our vendors, to learn about their GDPR plans and to ensure we have GDPR-ready data-processing agreements with them
We’ve self-certified for International Data Transfers to comply with EU data-protection laws under the E.U.-U.S. Privacy Shield
We will release an updated Data Processing Agreement to ensure we can support our customers to lawfully transfer EU personal data to Emercury when GDPR comes into effect.
Overview of GDPR
What is GDPR?
At its core, GDPR is a new set of rules designed to give citizens more control over their data. It aims to simplify the regulatory environment for business so both citizens and businesses can fully benefit from the digital economy.
Who does GDPR apply to?
The “extra-territorial” application of GDPR applies all organizations that process the personal data of EU residents or monitor individuals' behaviours conducted within the EU, regardless of the entity's location.
“Personal data” is broadly defined and means anything that can be used to directly or indirectly identify an individual, including name, photo, email, bank details, social network posts, DNA, IP addresses, cookies, and location data.
Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your Emercury account.
Regardless of whether or not you believe your business will be impacted by GDPR, GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and greater privacy awareness now may increase your competitive advantage in the future.
Controller vs Processor
GDPR outlines different requirements for Controllers (entities who determine the purposes and means of the processing of personal data) and Processors (entities who process personal data as directed by a Controller).
Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); although GDPR does place some direct responsibilities on the processor too. Therefore it is important to work out whether you are acting as a controller or a processor, and, as such, to understand your obligations.
Admailr occupies the role as a processor under the GDPR, because Admailr processes the data it collects through its technology solely on behalf of our customers without the right to define our own processing purposes. For example, we will process data received or generated via a campaign only for our customers’ purposes; Admailr does not own any of this data.
In addition, Admailr maintains a "Profiler", a database that stores the known identifiers that correlate to our customers’ end users. Admailr stores identifiers in its "Profiler" solely for the purposes of our customers, and thus is a processor of this data as well. Customers contribute identifiers to the Admailr Profiler in order to benefit from the identifiers added by other customers to the "Profiler".
Customers at all times remain in control of the personal data processed on their behalf by Admailr.
Some key points to note in respect of GDPR:
Data protection by design and default
Under the “privacy by design” requirement of GDPR, you will need to design compliant policies, procedures and systems at the outset of product development. The “privacy by default” principle will require that, by default, only personal data that is necessary for a specific purpose is to be processed.
Lawfulness of processing
You will need to ensure that all processing of data is based on a lawful ground for processing. These are consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects.
Under GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. In particular, GDPR says that consent must be "freely given, specific, informed and unambiguous." You will need to review existing consent mechanisms, to ensure they present genuine and granular choice.
GDPR includes specific parental-consent requirements when processing the personal data of users under the age of 16 (or lower depending on the country). You should consider whether parent consent is required and whether you need to change how you process customer data to either obtain parental consent or stop processing the date of customers under the age of 16.
Personal data breach notification
Data breaches must be notified to the relevant supervisory regulator as soon as possible, and in any event within 72 hours of the breach being identified. GDPR states that breaches that are unlikely to result in risks to individuals do not require reporting.
Data Protection Officer
Processors processing a significant volume of data, or processing ‘sensitive’ data, may be required to appoint a data protection officer (DPO). DPOs will be responsible for monitoring the data processing activities of the business and ensuring compliance with GDPR. It is expected that certain businesses may voluntarily appoint a DPO to help demonstrate an adoption of best practice procedures and strengthen any defence to regulatory investigation.
Enhanced rights for data subjects
EU citizens will have several important new rights under GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability.
Non-compliance with GDPR can result in very high financial penalties. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
How to make a GDPR request to Admailr
How do you find out what data we hold on you?
If you want to find out all of the information that we hold on you, please send us an email to privacy @admailr.com and we will respond as soon as we are able with everything that we have (well within the 30 days set out in the GDPR).
How do you get your data removed from our systems?
Send an email to privacy @admailr.com and we’ll let you know what we can delete, how quickly we can delete it, and the reasons behind our decision.
What if you have further questions?
Again, just ask us. Send an email to privacy @emercury.net and we’ll get back to you as soon as we can with an answer.
Further reading on GDPR
Need more information? Below are links to some helpful GDPR resources: