This article has been provided as a resource, but it’s not legal advice. Please speak to your legal counsel to learn how the General Data Protection Regulation (GDPR) may affect your organization. This information is not the same as legal advice, where an attorney applies the law to your organization.You should consult an attorney if you’d like advice on your interpretation of this information, the links provided, or its accuracy. You should not rely on this page as legal advice.

 

What is GDPR?

The General Data Protection Regulation (GDPR) is a new European Union regulation which will replace the 1995 EU Data Protection Directive (DPD). It is designed to enhance the protection of the personal data of EU citizens and increase the obligations of organizations who collect or process personal data. The regulation includes several new provisions to protect the rights of EU citizen’s data and add harsher penalties for violations.

When does GDPR take effect?

This regulation will be enforceable on May 25, 2018

Does GDPR apply to my organization?

If your organization has or will collect personal data of any citizen within the European Union (including Great Britain), you will need to comply with the GDPR.

Are there penalties for not complying?

Yes. Fines of up to 20,000,000 EUR or up to 4% of annual turnover of the preceding financial year, whichever is higher.  See more here:

https://gdpr-info.eu/art-84-gdpr/

https://gdpr-info.eu/art-83-gdpr/

What is Personal Data?

Personal data is any data that could be used to identify a person. This includes but is not limited to name, email, address, phone, identification numbers, DOB, and many other personally identifiable data fields.

How do I Obtain Consent?

If you are planning on collecting personal data for any EU citizens you must have a legal basis, like consent, to do so. In some cases, GDPR may allow other legal basis for processing personal data, but the most common form is consent. This consent must be concise, explicit and verifiable.

Consent is verifiable when a record of when and how someone agreed to let you process their personal data can be produced upon request. Consent must also be concise and explicit. In other words no pre-checked consent boxes or vague language.  

What About Existing Contacts / Lists?

You will also need to collect GDPR-friendly consent from any contact within the EU that you already have. To do so, set up a GDPR enabled form. Then send an email that links to this form to all contacts that are within the EU with a request to update their information. If they refuse to do so, you should consider removing them from your list entirely.

About Individual Rights

The GDPR outlines the rights of individuals within the EU around their personal data. Individuals in the EU have the right to:

  • Access their personal data
  • Correct errors in their personal data
  • Erase their personal data
  • Object to processing of their personal data
  • Export personal data
  • Prevent automated decision-making and profiling

Children

GDPR will bring in special protection for children's personal data, particularly in the context of commercial internet services (social networking). If you collect data from children in your organization, you will need to look into these regulations for any child residing within the EU. Read more:

https://gdpr-info.eu/art-8-gdpr/

Data Breaches

Significant changes in notification procedures have been adopted for GDPR. Read more:

https://gdpr-info.eu/art-33-gdpr/

Data Protection Officers

Many organizations will need to designate a Data Protection Officer. You should decide who this will be - or identify someone to take responsibility for data protection compliance.  Read more:

https://gdpr-info.eu/art-39-gdpr/

Here is what SoSimple has done to prepare

SoSimple offers a number of tools to help our clients comply with GDPR.

Obtain Clear and Concise Consent

Collecting clear consent is an important step in GDPR compliance. If you are collecting personal data on any individual within the European Union you can enable our GDPR compliant settings. These settings will capture a date and consent method for any form entry. In addition. Form sections may be used to add legal text for the intended use of the information gathered and provide a consent checkoff box which prides the legal basis to collect the data . Our GDPR fields include checkboxes for opt-in consent, and editable text areas allowing you to clearly explain how their data will be used. Data is stored for later use, edits, requests for erasure or requests for data export.

Notices

For clients requiring notices to show on their website, a GDPR notice can be enabled. This notice shows up in 2 scenarios:

  1. When signing into a password protected area like a portal or intranet
  2. When using a form that is setup to be multi-step

Access their personal data

You may export your list from Community Manager or the database attached to any Form Builder page type to provide access to an individual’s information. Both of these methods allow you to delete records.

Correct errors in their personal data

Within Community Manager, you can edit any record and export proof of any requested change. Within our form Builder page type submissions may be exported and edited within your CRM of choice or within an Excel document.

Erase their personal data (Right to be forgotten)

Records within Community Manager or individual submissions within our Form Builder Page type can be deleted at any point. Users may also opt out of email lists and request complete deletion from this opt out function.

Object to processing of their personal data

During the opt in process from any form, users will have the ability to opt out of any specific field of an online form. Additionally they will have the ability to opt out of specific distribution lists, or all lists, from any email that your organization sends through Community Manager

Export personal data

You may export your list from Community Manager or the database attached to any Form Builder page type to provide access to an individual’s informat

 

Helpful Links

Free Toolkits to assess your organization’s readiness for GDPR
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/

ICO’s 12 Steps - Preparing for the General Data Protection Regulation (GDPR)
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Full text of the GDPR
https://gdpr-info.eu/

European Commission
https://ec.europa.eu/info/law/law-topic/data-protection_en