What is GDPR?
Over a year ago, the European Commission (EC) approved and adopted the new General Data Protection Regulation (GDPR). The GDPR is both a legal framework for the protection and security of personal data in the European Union (EU) and a set of regulations that will apply across Europe as of May 25, 2018.
Who does GDPR apply to?
The GDPR applies to all organizations operating in the European Union (EU) and processing “personal data” of EU residents. Personal data is defined as “any information relating to an identified or identifiable natural person.” This definition is notably much broader than “sensitive information” or “personally identifiable information,” which are the more narrow definitions of the data to which a regulation might apply (sometimes seen in other privacy and data security regulations).
When does GDPR become applicable?
On May 25, 2018.
What is NationBuilder doing in preparation for GDPR compliance?
NationBuilder is working to ensure our software and services are fully compliant with the GDPR when it becomes enforceable on May 25, 2018. Here are some of the actions we have taken thus far:
Analysis by a European legal firm: Earlier this year, we hired a European legal firm that specializes in data protection in the technology space. They are doing a full assessment of our product and procedures to determine if there are any gaps that need to be addressed. Our product and engineering teams are committed to delivering any necessary changes or enhancements to ensure that NationBuilder is GDPR compliant.
Updates to our policies: We are in the process of auditing and updating our current Compliance Management System and our compliance and security policies and procedures.
Data Processing Agreements (DPAs): To help our customers in their efforts to comply with protection and security of personal data regulations and better protect citizens’ data, NationBuilder has, for many years, asked our customers to enter into a Data Processing Agreement (DPA) with us. NationBuilder uses these DPAs to lay out our mutual commitments with our customers to proper data handling and to help ensure compliance with international data transfer regulations and best practices. Our DPA will be revised in light of the requirements of the GDPR. We will ask all new and current customers in the EU to sign the revised DPA. We are working to get these available to you as soon as possible. For additional information about the new DPA or to obtain a copy, please contact our support team at email@example.com.
What should I do as a NationBuilder customer and how can I prepare for GDPR?
Although the GDPR will not be enforceable until May 25, 2018, we encourage our customers and ecosystem partners to start preparing now. We urge every organization that processes or shares personal data to start your GDPR compliance journey (if you haven’t yet). Review your security, compliance and data protection practices and products to ensure that you are ready by May 2018.
What if my business is not in the EU but I do business with EU companies?
You will still have to comply with the Regulation. Non-EU organizations that do business in the EU with EU data subjects' personal data should prepare to comply with the Regulation.
What are key areas of the GDPR I need to know about?
The definition of personal data is broader, bringing more data into the regulated perimeter. The definition of “personal data” according to the GDPR is the following: ‘personal data' means any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The bar for valid consent has been raised much higher under GDPR. The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
The appointment of a data protection officer (DPO) will be mandatory for certain companies. Article 35 of the GDPR states that Data Protection Officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
Mandatory data protection impact assessments have been introduced. A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.
There are new requirements for data breach notifications. Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.
- Data subjects have the right to be forgotten. In a handful of circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
I am a UK organisation, with Brexit happening, does GDPR still apply to my organisation?
Yes. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. If you are a UK organisation and you are handling personal data, you will still need to comply with the GDPR, regardless of the outcome of Brexit. The GDPR will be legally effective before the UK leaves the EU and, as such, the government and the Information Commissioner have confirmed that the GDPR will apply.