GDPR, What You Need to Know

Hello, Gmelius Community! On the 25th of May, 2018, the EU General Data Protection Regulation (GDPR) came into effect.

You’ve been likely hearing a lot about the GDPR over the last months and probably receiving an influx of “we updated our Privacy Policy” emails over the last days, but let’s take a step back for a moment.

This is not something new; a data protection legislation in the EU has been active for over two decades! The eight data protection principles of the 1995 EU Data Protection Directive, have been since governing the treatment of personal data by companies/organizations in the EU, and the new GDPR actually builds on these principles and enhances them.

Whether you’re a B2B or B2C, big or small, headquartered in the EU or not, we recommend you to familiarise yourself with the changes under the GDPR.

Here is, therefore, an overview of the regulation and its implications, to help you get started.

Please kindly note this is for general information and is not intended to constitute legal advice. We encourage you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific obligations under the GDPR.

What is GDPR anyway?

GDPR stands for General Data Protection Regulation. It regulates how companies can collect, process, and use personal data from EU individuals. It also dictates how companies must respond in the case of a data breach and/or a request from an EU resident to have his or her data deleted.

It’s primarily a set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways.

What constitutes personal data according to GDPR?

The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, e.g., a name, a national ID number, an address, or even an IP address.

The new Regulation requires for personal data:

• to be collected to fulfill a specific purpose and to be used for that purpose exclusively.
• to be processed only in a fair, legal, and transparent way.
• to not to be withheld for longer than necessary after fulfilling its purpose.

This is an EU legislation, how does it affect me?

The territorial scope of the GDPR is far broader and applies not only to EU-based businesses but also to any company/organization that controls or processes data of EU citizens and residents.

In particular, it even applies to non-EU businesses who either market their products to people in the EU or monitor the behavior of people in the EU.

In other words, even if you’re based outside of the EU, but you control or process the data of EU citizens and residents, the GDPR applies to you too, that means essentially that any company with an online presence may be impacted.

What about the UK, will Brexit impact the compliance for businesses based in the UK?

Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. Moreover, the UK has drafted legislation to update their current Data Protection Act to the standards of the GDPR, currently going through the Parliament.

How does my organization ensure our compliance?

It all comes down to your role in managing user data.

Source: F-Secure — https://blog.f-secure.com/quick-guide-to-gdpr-concepts

Data Controller

You are a data controller if your company / organization collects people’s personal data and makes decisions about what to do with it.

Data Processor

You are a data processor if your company / organization doesn’t decide what to do with the data but processes said data based on the instructions given by the controller.

You could be assigned both roles and act simultaneously as controllers and processors. For instance, Gmelius acts as a data processor for its users by offering its CRM solution but also acts as a data controller when members of the Gmelius team interact with clients or partners.

Regardless of your role, you need to put processes in place to follow through on requests from your users regarding their personal data and comply with applicable data privacy legislation accordingly.

It is worth mentioning that your users in the EU have the right to access their own personal data. They can request a copy of their data, request that their data be updated, deleted, restricted, or transported to another organization.

The full legislation text can be accessed here.

Gmelius’ Commitment to GDPR Compliance and Data Privacy

At Gmelius, we’re committed to full transparency, and that’s something that will never change. With that in mind, we use the new legislation as an opportunity to make some changes to our Privacy Policy and Terms of Service, that we consider fundamentally beneficial for our community.

We made these important changes, summarized below, with the aim to empower you to make the best decisions about the information that you share with us.

• Our Privacy Policy has been slightly rewritten to make easier to understand what types of data we collect and how we use your data. Please take time to read it.
• Updated age requirements: In our Terms of Service, we’ve changed the legal age of consent from 13 to 16 years.
• An overview of our Security Policies and Technology is now available on our website, and it’s worth a read!
• We added a Data Processing Addendum (DPA). If you are (or your use of our services) is subject to the GDPR, you can read and accept it by signing in to your Gmelius Dashboard.

The changes noted above are just highlights; for further information about Gmelius and GDPR, please visit our legal page or directly contact us to speak with a friendly member of the team.