GDPR (General Data Protection Regulation) came into effect on May 25th 2018. It is a European privacy regulation which will replaced an older EU Data Protection Directive. The aim of GDPR is to strengthen the privacy rights of EU individuals, place higher demands on how companies manage and protect personal information used in their businesses.
What are the key changes?
The basic idea behind the regulation is to adapt to the changes of the internet and other aspects that are different in our society compared to when previous rules were established back in 1995.
- Consent - Conditions for consent to capture personal data have been strengthened. As businesses we need to be mindful of how we help people understand why we collect any information about them we need, keep the information safe and ensure that we only store this information for as long as absolutely necessary.
- Increased geographical scope - A company does not need to be based in the EU to be affected. Any company that has data that can be attributed to an EU individual needs to comply with the regulation, regardless if the company is based in the United States, India or China. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU.
- Data Protection Officer - All companies needs to have policies in place for how to manage GDPR compliance, a documented audit trail and a dedicated Data Protection Officer that is responsible for these internal processes
- Penalties - GDPR has teeth, folks! Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
That’s of course not all of it, and changes have been made with regards to data breaches, the individual's right to access, the individual’s right to be forgotten, data portability, and privacy by design.
For more information on these changes, please visit: https://www.eugdpr.org/the-regulation.html
What is affected by GDPR?
GDPR regulates the “processing” of data for EU individuals. This means collection, storage, transfer or use of information that can be directly or indirectly attributed to an individual.
What’s considered “personal data” is very broad and covers any information relating to an identified or identifiable individual such as:
- e-mail
- phone number
- photo
- security number etc.
And according to GDPR there is additional data that is also protected, called sensitive data. This covers things like:
- race or ethnic origin
- political opinions, religious or philosophical beliefs
- memberships in unions
- processing of genetic data, biometric data to uniquely identify a person
- information on the sexual or sexual orientation of a person
- health data
How does this affect you as a customer?
The oversimplified advice on how to deal with these changes is to:
- Only save the information that you absolutely need in order to manage your business
- Only save it for as long as absolutely necessary
- Information potentially categorized as sensitive information is incredibly hard to defend against GDPR and should be avoided by internal policies and audits
What is Membrain doing to be GDPR Compliant?
Membrain is committed to ensure everyone's integrity and that our software makes it possible and easy(!) to live up to the GDPR requirements.
Our team is hard at work reviewing, updating and expanding our tools to help you manage your clients privacy and understand their choices with respect to their personal data.
Below are just 3 of many ways Membrain is evolving to help with:
- Anonymizing data - (Right to be forgotten)
As well as new requirements on gaining consent for data capture and processing, GDPR also makes it clear that consent can be withdrawn and revoked at any time. This means that an individual can request for their data to be removed or deleted when there is no compelling reason for a business to continue processing that information.
What's new! Updated functionality when deleting contacts will adhere to this requirement, and allow for additional options, including a full GDPR Delete
Learn more about this feature here Delete Forever (GDPR)
- Exporting all personal information upon request (Right of access)
Individuals have the right to access their personal data and supplementary information. With the new regulations, individuals will have the right to obtain confirmation that their data is being processed and also request access to this personal data.
Whats new! A specific "GDPR Export" simplifies this type of request, and will allow you to gather and export personal data about a Contact in line with GDPR requirements.
Learn more about this feature here Export (GDPR)
- Providing guidance within Membrain - now and into the future
We at Membrain are dedicated to ensuring that staying within the GDPR guidelines while using Membrain is as easy and straight forward as possible for our customers.
There are several new principles for businesses that handle personal data, including a requirement to build in data privacy by design when developing new systems. Therefore, we must take into account any potential impact that our current and future development projects and initiatives might have, in relation to GDPR requirements and how our customers use Membrain. This allows us to identify potential privacy issues before they arise, giving us time to find ways to mitigate them before the project is underway.
Where can I learn more about GDPR?
You can read more about what we at Membrain are doing to help our customer stay compliant here https://www.membrain.com/GDPR
And for additional information, the following pages have a lot of helpful resources to learn more:
