Growbots’ Plan for the GDPR Compliance
Updated April 5, 2018
GDPR - definition, motivation, and its impacts
The GDPR will come into effect on May 25, 2018 with the aim of protecting global privacy rights and guarantee compliance. We are working towards ensuring that Growbots is fully compliant with GDPR before it takes effect. The purpose of this guide is to help our customers better prepare for the upcoming changes.
GDPR - a quick overview
GDPR stands for the General Data Protection Regulation, a European privacy law approved by the European Commission in 2016. The new regulation will replace a previous privacy directive known as Directive 95/46/EC (the “Directive”), which has been in operation since 1995. Unlike any other other directive GDPR doesn’t require any enabling legislations from national governments making it directly binding and applicable.
The main aim of GDPR is to transfer control of personal data back to citizens as well as to unify the regulation within the EU to streamline the regulatory environment for international businesses.
GDPR impacts how individuals and organizations can acquire, use, store, and remove personal data, and therefore will have a big impact on business’ operations worldwide.
How much time do I have left to become fully GDPR compliant?
Even though the GDPR was adopted in April 2016, it will officially take effect from May 25th, 2018. All organizations must be fully compliant by then, as there is no transition or “grace period” granted, and penalties will be placed on organizations who fail to comply.
Who should be concerned with GDPR?
The regulation affects organizations located within the EU as well as those located outside of the EU area if they sell goods or services to, or monitor the behaviour of EU data subjects. All companies which process and hold personal data of data subjects residing in the European Union must comply with GDPR, irrespective of the organization’s location.
The regulation does not exclude any industries or sectors. For the purpose of interpreting the regulation more easily, we are providing a few definitions:
What is “personal data”
According to the GDPR, personal data is viewed as any information related to an identified or an identifiable person also called a “data subject”. An identifiable natural person implies that they can be identified (both directly or indirectly) based on their name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This also includes email as well as IP addresses.
This clearly shows that the majority of information that Growbots users collect will be viewed as personal data under the GDPR.
Does Growbots need to comply with the GDPR?
Growbots in cooperation with their legal advisors have come to the conclusion that they are obliged to comply with GDPR. We have absolutely no doubt that Growbots will be GDPR compliant before the regulation takes effect on May 25th, 2018. Our customers can confidently use Growbots without worrying that Growbots is in the breach of data regulation.
We have given ourselves enough time to ensure that all our internal processes, procedures, systems and documentation is revised and updated to be in line with the GDPR requirements.
Growbots among other things:
- Revising our third-party vendor contracts to make sure they are GDPR complaint in order to allow us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data;
- Continuously trying to come up with new GDPR-friendly capabilities to add to our application.
Growbots will be ready to address any GDPR related customer requests involving:
- The right to be forgotten: You can terminate your Growbots account at any time; we will permanently delete your account and erase all the data associated with it.
- The right to object: You can opt out of any data inclusion in any data science projects
- The right to rectification: You have the right to access and update your Growbots account setting at any time in order to correct or complete your account information. Alternatively, you can contact Growbots to request your data to be corrected, amended or deleted.
- The right of portability: you can request for your data to be transferred to a third party at any time
Please note that Growbots will have 30 days to address any requests made by customers to update or remove their data.
Is GDPR something you should be worried about?
You should seek consultation from legal professionals to check whether you must be GDPR compliant. However, if your organization resides within the EU or processes the personal data of EU citizens, the GDPR will affect you.
What does “data processing” mean?
According to GDPR, processing implies “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (GDPR-info.eu).
To simplify it, if you collect, manage, use or store any personal data of EU citizens, you are in fact processing their data and therefore must be GDPR compliant.
What does it mean to the Growbots customers? That if you’re in possession of email addresses, names, or any other personal data of prospects residing in the EU, then you are processing EU personal data under the GDPR.
Is Growbots using third-parties to process data?
Growbots, just like the majority of businesses, uses third-party subprocessor to supply certain business functions like business analytics, cloud infrastructure, email notifications, payments, and customer support.
However, before Growbots decides to cooperate with any third party subprocessor we carefully evaluate their defensive disposition and we execute an agreement which requires that each subprocessor maintains minimum acceptable security practices.
GDPR vs the Directive - what is the difference?
While the GDPR draws from the Directive and a lot of the principles from the Directive appear in the GDPR, multiple changes have been made and must be noted.
We have chosen to discuss those which we believe are particularly relevant to Growbots and our users:
A wider scope: As previously mentioned, the GDPR applies to all organizations set up in the EU as well as those which reside outside of the EU but process data of EU citizens. This broadens the scope of EU data protection law beyond the European Union territory.
Modification of personal and sensitive data definitions, as mentioned above.
Individual rights expansion: EU citizens will regain control over their personal data and will have a few new rights granted under the GDPR. Including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. Your responsibility is to make sure you’re able to respect these rights if you process the personal data of EU citizens. Here’s what each right implies:
The right to be forgotten: An individual can demand their data to be erased completely with immediate effect.
The right to object: An individual may not allow certain data usages.
The right to rectification: Individuals have the right to request that incomplete data is completed and any data errors are corrected.
The right of access: Individuals have the right to know how organizations process their data and what data they process.
The right of portability: Individuals can request a transfer of their personal data from one organization to another.
The basis of the GDPR is consent, and all organizations must make sure that consent is obtained in line with the GDPR’s new requirements.
Your every user and subscriber will have to agree for you to use their personal data, meaning you will have to receive explicit consent. What do you have to be aware of?
- Consent must be purpose-specific
- What doesn’t count as consent: silence, pre-populated boxes or a lack of action. Individuals must explicitly opt-in to the storage, use, and management of their personal data
- You must clearly specify how the data that you collected will be used, as separate consent must be acquired for different processing activities
- Individuals have the right to request “fair and transparent” information about how their personal data is processed and that includes:
- Who is controlling their data i.e. their contact details
- A justification of why you’re collecting the data
- Data retention period, which should be as short as possible
What you must be aware of is that you can only process data if it’s absolutely necessary; it has to be legally justified, for example, to fulfill a contract.
What about cross-border data transfers?
The GDPR includes provisions that discuss cross-border personal data transfers, however, they do not differ significantly from the provisions included in the Directive.
The GDPR doesn’t specifically say that the personal data of the EU citizens can only be stored in the EU member states. However, it puts forward a few conditions that must be met before personal data is transferred outside the EU and it describes multiple legal grounds that firms can rely on to perform cross-border data transfers.
Our customers can be assured that Growbots will be 100% GDPR compliant before the regulation takes effect on May 25th, 2018.
What will happen if I fail to comply with the GDPR?
All organizations which fail to comply with the GDPR after it takes effect will face serious financial penalties. They can be as high as 20m euros or 4% of the company’s global turnover.
Controller VS Processor - what’s the difference?
By accessing personal data you either become a controller or a processor, each role has different requirements and obligations.
If you’re a controller then your job is to decide on the purpose and the means of processing personal data. A controller also determines what personal data is collected from a data subject for processing.
A processor, on the other hand, is a unit which processes the data on the controller’s behalf. Although the definitions of the controller and processor haven’t been changed significantly for the GDPR purposes, the responsibilities of each party have increased.
It is the main responsibility of a controller to protect data and to report any data breaches to data protection authorities. The processor has certain responsibilities as well.
It is vital for you to identify yourself either as a processor or a controller, and to become familiar with your responsibilities.
Are Growobots customers processors or controllers?
In the majority of circumstances, our customers will act as controllers. Our customers will decide what information available at Growbots will be used by them.