For that purpose, we considered it important to let you know about the new General Data Protection Regulation (GDPR) that will take effect from May 25, 2018 for all businesses who maintain the data of EU residents.
Businesses of all sizes are required to be in compliance with the GDPR, going forward. The GDPR is very broad in scope and can apply to businesses both in and outside of the EU.
Businesses that don’t comply with the GDPR could face heavy fines.
Disclaimer: Please note that EngageBay is offering you this content for informational purposes only and should not be relied upon as legal advice. We encourage you to consult legal and other professional counsel to fully understand how GDPR applies to your organization and business activities.
The General Data Protection Regulation, also known as the GDPR, was introduced on April 27, 2016, but has yet to go into effect. It involves those who are part of the European Union or EU and their personal data exporting to other parts of the world.
Essentially, the 1995 Data Protection Directive, also known as Directive 95/46/EC, will now be out of date. There’s no legislation required with the GDPR, which is different from Directive 95/46/EC. Any laws or rules under the GDPR are thus effective immediately.
Those EU member states will follow a single set of rules that mandate they have an independent supervisory authority or SA. This SA is in charge of managing and resolving administrative offenses and complaints.
Companies with a strong business presence across and outside of the EU will rely on a lead authority SA at its main headquarters. This SA becomes a one-stop shop and has all data from said company. There will also be a European Data Protection Board or EDPB that supersedes the Article 29 Working Party.
In all other instances, the GDPR has a data controller, which will oversee cloud service provider data for organizations, processors, and residents within the EU.
These processes are installed so personal data is protected, which is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address,” by European Commission standards.
The goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. The GDPR protects the following key rights:
It’s worth keeping in mind that before GDPR, you still had to meet regulations when processing personal data.
GDPR simply means data controllers must make a greater effort to process personal data within the law. They also have to make it clear how data will be processed – and ask for consent. And if there’s a personal data breach, they need to notify the supervisory authorities and data subjects as soon as possible.
Unlike past laws, GDPR also refers directly to data processors – and outlines how they must now comply.
If you have an EngageBay account, you’re the controller of your contacts’ personal data. That’s because you decide why and how their information will be used. And that means you’re responsible and liable under GDPR.
GDPR may apply if you’re a data controller or a data processor:
What is a Data Controller?
A data controller is a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (See Article 4, GDPR)
What is a Data Processor?
A data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. (See Article 4, GDPR)
So, what does this mean?
EngageBay is the controller in relation to your personal data provided to us as a customer. You are the controller in the relation to the contact data you upload and use in your EngageBay account.
EngageBay is your processor when we provide our services to you. For example, when facilitating the sending of emails to contacts and providing tools to manage your contact lists, we are acting as a processor on your behalf.
However, please note that it is your responsibility to ensure that you have the necessary notices and/or consents in place in order to transfer personal data to us for use.
In the scenarios listed above, your compliance with GDPR is mandatory.
On the other hand, you probably won’t need to comply if you simply have a website, email address, or other contact details that can be accessed in the EU – and the language is common to your country (and not to any EU member state).
Failure to comply could result in hefty fines. You will definitely want to be sure you’re in compliance ahead of the May 25, 2018 deadline. This is not something you can ignore and you wouldn’t want to put off preparing until the last minute.
EngageBay is GDPR compliant. As a customer of EngageBay, GDPR grants you expanded privacy protections and rights. We will be prepared to comply with these regulations and handle requests from you so that you are also in compliance.
Right to be forgotten – You may cancel and terminate your EngageBay account at any time. After receiving a request to be forgotten, we will permanently delete your account and all data associated with it within 30 days of receiving the request.
Right to portability – If requested, we will export your data so it can be transferred to a third party. You’re able to do this now.
Right to object – At any time, you may object (via opt out) to your personal data being used for specific purposes such as direct marketing, research, etc.
GDPR grants expands privacy protections and rights to your customers. EngageBay’s GDPR compliance program will help you comply with requests you receive from your customers.
Right to rectification – You can update your contact’s information at any time. Your contacts can reach out to EngageBay directly and we’ll correct or delete that information for them.
Right to be forgotten – If you receive a request to be forgotten, you’re able to delete a contact, which permanently removes his or her information from your account. If your contact reaches out to us directly with a valid request, we’ll notify you about the request and delete the contact’s data from your account, or across all EngageBay accounts, if requested, in order to comply with GDPR.
Right to portability – If your contact requests their personal data, you can export their data as a .csv file, which we will make available to you via a secure connection.
In addition, we are reviewing and updating, as necessary, our agreements with you and with our subcontractors (to include the necessary GDPR terms), as well as notices, policies and internal processes, features, and templates to assure our compliance and help you achieve compliance.
Please note that EngageBay is also working toward being certified under the EU-US and Swiss-US Privacy Shields, which means we transfer and protect the personal data from the EU and Switzerland consistent with the requirements of the Privacy Shield program, governed by the Federal Trade Commission and approved by the EU Commission so that you can transfer your data and that of your customer to us in compliance with the data transfer restrictions in the GDPR.
Privacy Shield is an agreement between the EU, Swiss and US government to allow US companies to comply with EU and Swiss data regulations.
Privacy Shield was created specifically for US companies, and may have a different set of regulations or requirements than a company operating in the EU.
We are working toward our Privacy Shield certification and once we have it, we will have what is considered "adequate privacy protection for the transfer of personal data outside of the EU and Switzerland".
You can read more on their official website.
For any questions, feel free to write to us at: firstname.lastname@example.org