Whether you're B2B or B2C, big or small, you've probably heard about the EU's new regulation, the General Data Protection Regulation (GDPR).
It's a new set of laws aimed at enhancing the protection of EU citizens' personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways.
The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.
At Portfolium, our entire organization is hard at work ensuring that our own practices are GDPR-compliant.
But equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.
A big piece of that is ensuring that the Portfolium platform sets you up for GDPR compliance.
In full transparency, while the existing product can be used in a way that helps to comply with the GDPR, doing so can be difficult and involve complex workarounds.
What it Means
Lawful basis of processing
You need to have a legal reason to use users' data. That reason could be consent (users opted in) with notice (you told users what they were opting into), performance of a contract (e.g. users are your customers and you want to send them a bill), or what the GDPR calls "legitimate interest" (e.g. users are customers, and you want to send them products related to what they currently have). You need the ability to track that reason (also known as "lawful basis") for a given contact.
One type of lawful basis of processing is consent with proper notice. In order for users to grant consent under the GDPR, a few things need to happen:
- They need to be told what they're opting into. That's called "notice."
- They need to affirmatively opt-in (pre-checked checkboxes aren't valid). Users filling out a form alone cannot implicitly opt them into everything your company sends.
- The consent needs to be granular, meaning it needs to cover the various ways you process and use users' personal data (e.g. marketing email or sales calls). You must log auditable evidence of what users consented to, what they were told (notice), and when they consented.
Withdrawal of consent (or opt out)
Users need the ability (as data subject) to see what they're signed up for, and withdraw their consent (or object to how you're processing their data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.
Users need to be given notice that you're using cookies to track them (in language they can understand) and need to consent to being tracked by cookies. *** We know the ePrivacy Regulation is coming, and that it may have an impact on how cookies are regulated. We'll adjust our product accordingly.
Users have the right to request that you delete all the personal data you have about them. The GDPR requires the permanent removal of users' contact from your database, including email tracking history, call records, form submissions and more. In many cases, you'll need to respond to users' request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn't always apply.
Access / Portability
Just as users can request that you delete their data, they can request access to the personal data you have about them. Personal data is anything identifiable, like their name and email address. If they requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS). Users can also request to see and verify the lawfulness of processing (see above).
Just as they can request to delete or access their data, users can ask your company to modify their personal data if it's inaccurate or incomplete. If and when they do, you need to be able to accommodate that modification request.
The GDPR requires a slew of data protection safeguards.