Steps to Prepare

• Data Mapping—Determine (and document) the following:
  • What personal data do you possess or collect?
  • What purpose(s) is the personal data used for?
  • Where did this data come from, and what parties has it been shared with?
  • Where does this data currently reside?
  • How long is the data stored?
  • How will this data be deleted or modified if a data subject submits a request?
• Rights—Check your current procedures to ensure that you can comply with data subjects’ rights. EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance, in certain circumstances.
• Consent—When relying on consent as the ground for processing personal data, address how you pursue, obtain, and document consent. For certain (but not all) types of activities, consent should generally be obtained from an individual in order to use their data—for example, when processing special categories of personal data. The GDPR states that consent should be given by a clear affirmative act—silence, pre-ticked boxes, or inactivity will typically not constitute consent. Consent should also be informed. Organizations will have to provide information about why they’re collecting the personal data and what it will be used for. You will also be required to maintain a record of all consent obtained, including who consented, when, and what specific statements they consent to. EU individuals will have the right to withdraw consent at any time.
• Privacy Policies – Review your current privacy policy and determine if any updates are needed.
• Product Design – You should build privacy by design into projects and consider how you can minimize the privacy impact of your products. Try to use pseudonymization, anonymization, and encryption where appropriate or necessary. More detailed information about privacy by design can be found in Article 25 of the GDPR.
• Data Breach Procedures – Ensure that you have procedures in place to detect, report, and investigate any data breaches. The GDPR requires organizations to report a breach to data protection authorities generally within 72 hours of detection unless the breach is unlikely to result in a risk to the privacy rights of individuals.
• Data Protection Officer – Determine if you should appoint a data protection officer (DPO). The GDPR states that a DPO must be appointed when the core activities of the organization involve “regular and systematic monitoring of data subjects on a large scale” or where the organization conducts large-scale processing of “special categories of personal data.” The DPO is responsible for overseeing compliance with the GDPR requirements and serves as the point of contact between the organization and supervisory authorities.
• Third-Party Providers – Make a list of all the third-party solutions you currently use (including website tracking cookies) that have access to or process data subjects’ personal data. You should review all of your contracts with third-party providers. Include confidentiality and data privacy clauses in your contracts which, where necessary, are GDPR compliant. Ask third-party providers that you have determined are in scope whether they are compliant with GDPR regulation.
• Awareness – Educate your employees about GDPR and its impact on the collection and handling of customers’ personal data.

 How Does This Affect using Geelus?

All users concerned with the GDPR need to address how they pursue, obtain, and document consent where it is needed. Your customers will also want to ensure that they can update, delete, restrict, or move an individual’s data if requested.

To ensure compliance with the GDPR, you should provide individuals with choices regarding marketing (e.g. obtain opt-ins and maintain a preferences page on their account) and set expectations.

You should also remove recipients (by unsubscribing them through Geelus) who have withdrawn consent and consider removing recipients who appear to have stopped engaging with your brand for a long time. Consent to send messages is not forever. If a recipient agrees to receive messages from you at some point, marketers should still consider stopping sending marketing communications after a certain point, even without blatant requests for an unsubscribe or a spam complaint. This is one of the easiest ways to maintain a good reputation at major mailbox providers.

Marketers will also want to keep a record of consent because the GDPR isn’t just about collecting consent, but also about keeping a record of this consent. The GDPR requires companies to maintain a detailed record of the consents obtained and to give EU individuals the right to ask when and how their consent was given, and withdraw it freely at any time. If the person doesn’t want their email address or phone number used, they can ask for it to be removed from your email or SMS marketing lists.

 What Else is New Under the GDPR?

• Online Identifiers: The GDPR expands the definition of personal data to include online identifiers such as device IDs, IP addresses, ad IDs, and cookie identifiers.
• Age Restrictions:  When obtaining consent from a person under the age of 16, parental consent is required, including making “reasonable efforts” to verify that the consent is from the parents, not the child. Additionally, different member states can set a lower requirement of 13.
• Processing: For the first time, the GDPR imposes direct legal obligations on data processors meant to ensure that processors protect data appropriately, assist with data subject requests, and provide notice and a right to object to the use of sub-processors.
• Automated Decision-Making:  Automated decision-making is processing (including profiling) that produces a decision that legally or significantly affects an individual without human intervention. Without explicit consent, individuals must not be subject to automated decision-making.
• Enforcement: Failure to comply could mean a €20 million fine or 4% of your organization’s global turnover, whichever is greater. Authorities also have the power to carry out audits, obtain access to an organization’s premises, and resolve individual complaints.

 Geelus and the GDPR

Geelus believes the GDPR is a significant step forward in data privacy and supports the GDPR’s emphasis on strong data privacy protections and security principles. Geelus is committed to ensuring that it is GDPR compliant when the law becomes enforceable on May 25, 2018, and is dedicated to helping our customers become GDPR compliant.

Geelus’s steps to ensure it is GDPR-ready include:

• Making available a GDPR-compliant Customer Data Processing Agreement for Geelus’ processing of personal data under the GDPR on behalf of its customers. If your use of Geelus requires Geelus to process personal data within the scope of the GDPR, Geelus’ GDPR Data Processing Addendum is available for signature here.
• Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we are reviewing our vendor agreements and putting GDPR-compliant terms in place with vendors and service providers who process GDPR personal data on our behalf.
• Making behind the scene changes to ensure that the Geelus platform and services are GDPR compliant and support GDPR rights: Including implementing changes focusing on access controls, account and record deletion, security, storage, and audits. Geelus is also internally working with our engineering, product, and security teams to ensure that we are able to help our customers to respond to any data subject requests that they may receive and proactively ensure GDPR compliance for every new product or enhancement.
• Evaluating our Privacy and Cookie Notices and making any updates as needed.

FAQs

Can you be a processor of some data and a controller of other data at the same time?

• Yes. Many companies that are data processors of some personal data are also data controllers of other personal data. The concept of whether you are a controller or processor is based on your processing different categories of personal data and does not apply to your company as a whole. Your obligations under the GDPR will depend on whether you are acting as a data controller or a data processor in connection with each category of personal data.

Does the GDPR require EU personal data to stay within the EU?

• No, the GDPR does not require EU personal data to stay in the EU. However, the GDPR does require that a valid transfer mechanism is in place to protect the data before it leaves the EU.

Does processing EU personal data always require the data subject’s consent?

• No. Consent is only one of the legal bases that can be used for the processing of personal data. For example, personal data can also be processed:
  • When necessary for the performance of a contract to which the data subject is a party;
  • When an organization has a legal obligation to do so (such as the submission of employee data to tax authority); and
  • Under an organization’s legitimate interests which may include commercial and marketing goals. The legitimate interest must not, however, override the data subject’s rights and interests.

Will the GDPR fines apply to small and medium-sized enterprises (“SMEs”)?

• Fines for violations or non-compliance with the GDPR will apply regardless of the size of the company. If you are an SME, you are, in principle, subject to the same level of fines as a large multinational organization.

Will Brexit impact GDPR compliance for UK businesses?

• No. The GDPR comes into effect before the UK officially leaves the European Union, which the UK government has announced will take place on March, 29th 2019. If you’re based in the UK or process personal data from the UK, this means that you’ll need to become GDPR compliant before May 25, 2018.

Do EU data subjects have an absolute right to have their personal data deleted upon request?

• A data subject’s right to have his or her data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if further processing complies with a legal obligation or is processed in the public interest relating to health.

If we have already acquired a list of users, what do we need to do to ensure we are compliant with the GDPR?

• You will need to ensure that you have clear consent from the contacts on your distribution lists and a clear record of the consents that have been obtained or withdrawn. The new rules will not only apply to email addresses added to your database from May 25, 2018 but will also apply to any data collected before then.

Can we send recipients an email asking them to opt-in to our newsletters and marketing emails?

• Yes, for EU individuals who are already on your marketing lists, you could contact them by email asking them to confirm their consent. You should do this as soon as possible in order to ensure you remove any contacts that have not opted in before May 25, 2018.

Is “double opt-in” mandatory under the GDPR?

• No. The GDPR does not specifically require “double-opt-in” consent.” Double-opt-in” is a two-step mechanism whereby a person provides opt-in consent to the use of their contact details for marketing purposes and the person is then sent an email to confirm their agreement before any marketing is sent to them. Instead, the GDPR provides that consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data. This could include ticking a box when visiting an internet website, or any other conduct which clearly indicates the data subject’s consent to the processing of their personal data. Silence, pre-ticked boxes, or inactivity will typically not constitute consent.

Additional Resources

• Complete text of the GDPR.
• Information related to cookie usage, the E-Privacy Regulation and how it relates to the GDPR.