1. What is the GDPR?
The “General Data Protection Regulation” or GDPR is a new comprehensive data protection law in the EU (including the UK post-Brexit) that comes into effect on May 25, 2018. The GDPR updates the existing EU privacy laws in order to strengthen them in light of rapid technological developments and more complex international flows of personal data, and to give EU citizens better control over their personal data in the digital world. The GDPR regulates and unifies across the EU how organizations can collect, store, process and transfer the personal data of EU individuals with a single set of rules.
2. What is personal data?
Personal data is any information relating to an identified or identifiable natural person, or so-called “data subject.” The GDPR expands and clarifies the concept of personal data. Identifiers such as a name, identification numbers, location data, and online identifiers (such as IP addresses), are considered personal data.
3. Who are Data Controllers, Processors and Sub-processors?
Under the European data protection law, organizations processing personal data are divided into: “Controllers,” those entities controlling personal data, and “Processors”, those entities processing personal data only on the instructions of the Controllers. For instance, Brand Embassy is a Processor. The GDPR applies to both Controllers and Processors. Another category called Sub-processors are those entities performing personal data processing for Processors (other organizations). The GDPR applies to those entities too.
4. To whom does the GDPR apply?
The GDPR applies to all organizations processing the personal data of EU citizens (data subjects), regardless of the organization's location. “Processing” means any operation performed on personal data, such as collection, storage, transfer, dissemination or erasure.
5. What's new under the GDPR?
The GDPR changes existing EU data protection laws in several ways. Most importantly, it enhances data privacy rights for individuals. While the basic concept of personal data largely remains the same, the GDPR expands and clarifies the concept of personal data. The GDPR also comes up with enhanced obligations for data management by organizations, and a new regime of fines for organizations that do not comply with the law.
The GDPR provides expanded rights for EU citizens (“data subjects”) such as:
- Deletion: The data subject has the right to require that the Controller delete personal data about him/her, under certain conditions, such as: the original data are no longer necessary for the original purpose of the processing, or if the data subject withdraws consent for the processing. This right is sometimes called “the right to be forgotten.” Brand Embassy's procedures and technology take this obligation into account.
- Restriction: Besides the deletion right, the data subject also has the right under the GDPR to obtain a restriction on the processing of his/her personal data under certain circumstances, such as the situation when the accuracy of the personal data is contested by the data subject for a certain period of time. A restriction on processing means that the organization is entitled to continue to store such personal data, but cannot process it. Brand Embassy's procedures and technology take this obligation into account.
- Consent: The GDPR uses consent throughout the GDPR as a mechanism for legitimizing certain processing activities of personal data from a legal perspective. Consent is defined as any freely given, specific (per purpose), informed, clear and plain language, an intelligible and easily accessible and unambiguous indication of a data subject’s wishes through a statement or clear act. Brand Embassy's procedures and technology take this obligation into account.
- Access: Under the GDPR the data subject has the right to get information from the Controller about whether his/her personal data is being processed, and if yes, the Controller upon request must provide access to that personal data and information such as the purpose of the processing, the category of personal data concerned, the recipients, the period for storing the data, and profiling mechanisms.
- Modification: Under the GDPR the data subject has the right to obtain from the Controller “without undue delay” the rectification of inaccurate personal data concerning him or her.
- Portability of personal data: The data subject has the right, under certain circumstances, to receive his/her personal data, which he/she provided to a Controller, in a structured format (meaning for instance a machine-readable format). Brand Embassy's procedures and technology take this obligation into account.
- Security measures: The GDPR requires Controllers and Processors to implement appropriate technical and organizational measures to ensure a reasonable level of security under the circumstances. At Brand Embassy the security of data is our top priority and we have robust security measures in place that meet high-level standards in the industry. We combine enterprise-level security features with comprehensive processes, procedures, audits of our applications, systems and networks to ensure that your and your customers’ data is always protected. Brand Embassy stores data in AWS SOC 2-certified data centers.
- Breach notification: The GDPR requires organizations to report a personal data breach to the supervisor authority “without undue delay,” and where feasible within 72 hours of having become aware of it, unless the breach is not likely to present any risk to the rights and freedoms of the data subjects concerned. A report is to be made to the data subjects, in certain circumstances (such as when circumstances require it), as well. Processors are required to notify Controllers “without undue delay” after becoming aware of a personal data breach. Brand Embassy's procedures and technology take this obligation into account.
- Data Protection Impact Assessments: Where a type of processing is likely to result in a high risk to data subjects, the Controller shall, prior to the processing, carry out a data protection impact assessment identifying the impact of the processing activities on the personal data. Brand Embassy's procedures and technology take this obligation into account.
- Transparency: The GDPR helps to ensure that transparent and fair information is provided to data subjects about how their personal data is being processed.The GDPR requires that the Controller provide data subjects with information about their processing activities at the time when personal data is obtained. The Controller needs to provide information such as: the contact details of the Controller (or data protection officer if applicable), the purposes and legal basis for the processing, and the recipients or categories of recipients of the personal data (if applicable).
- International transfers: The GDPR restricts to Controller or Processor the transfer of personal data outside of the EU unless appropriate safeguards are provided to protect that data. For such a transfer, enforceable data subject rights and effective legal remedies for data subjects shall remain available.
- Sanctions: Sanctions for non-compliance under the GDPR can be substantial. Supervisory authorities have a number of enforcement powers, including the ability to fine organizations up to €20m or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- “One Stop Shop”: The One Stop Shop mechanism means that, as a main rule, organizations that are established or operate in more than one EU member state or process the personal data of data subjects in more than one EU member state will only have to deal with one supervisory authority. This supervisory authority is called the “lead supervisory authority” and is defined as the place where the Controller has its central administration in the EU (in case the Controller has administration in the EU). This authority will cooperate with the other supervisory authorities concerned with cross-border data protection issues.
- Profiling: The GDPR introduces the concept of “profiling” as data processing involving (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Data subjects must be informed of the existence of profiling, its logic involved and any consequences of such processing.
6. What implications does the GDPR have for organizations processing the personal data of EU citizens?
The GDPR unifies and creates consistency across EU member states on how organizations can collect, store, process and transfer the personal data of EU individuals with a single set of rules. Organizations will need to ensure the security of the data they are processing and demonstrate their compliance with the GDPR on a continual basis. It’s important to implement and regularly review robust technical and organizational security measures, as well as compliance policies.
7. How has Brand Embassy been preparing for the GDPR?
Brand Embassy sees the GDPR as an opportunity to deepen our commitment to data protection and to build a stronger data protection system for the benefit of all. Brand Embassy is committed to ensuring that our platform is GDPR-compliant when the regulation becomes enforceable on May 25, 2018. As an SaaS (software as a service) provider, we already offer robust security measures meeting high-level standards in the industry with enterprise-level security features.
We have a data protection team of senior members of the legal, data and security sectors, ensuring that Brand Embassy is GDPR-compliant and performing regular reviews.
We also apply data protection mechanisms and procedures in our design principles for every new feature, product and enhancement.
High security measures are applied to all data, not only EU citizens’ data. We believe this will help you to comply with data protection regulations in multiple frameworks around the globe.
8. I’m a Brand Embassy customer. How do I get a data processing addendum (DPA) incorporating the GDPR obligations with Brand Embassy?
Brand Embassy's top priority is data security and we are committed to protecting the personal data that we may handle as part of our processing activities. We offer an industry high standard data protection agreement that customers can execute and sign with us. Our DPA is available here: https://cdn2.hubspot.net/hubfs/484339/legal/BE-data-processing-addendum_20180430.pdf
9. I’m a Brand Embassy customer. How can you help me delete personal data (and other actions) to comply with the GDPR?
Brand Embassy has implemented processes and tools to help you manage requests from data subjects including the deletion of personal data (“the right to be forgotten”), as well as access to personal data, modification (rectification), and portability.
Customers can contact us at firstname.lastname@example.org to request those actions required by data subjects. There will be an approval process in place in the early stage to make sure we are deleting the data as requested and the process will be continuously reviewed and iterated. To perform these actions we may also require that additional information such as post/message IDs or customer IDs are available and visible in the Brand Embassy Platform. Our privacy team is fully dedicated to providing the necessary support or guidance.
Customers can also use programmatic options to automate key processes by using Brand Embassy API for the GDPR. There is no one-size-fits-all approach for automated deletion and customers should design their approach and then consult with our Solution Designers, who will find the best scenarios to build it on top of the Brand Embassy Platform and configure the necessary processes if needed.
10. I’m an EU citizen. How can I claim my rights under the GDPR?
As far as the personal data in relation to Brand Embassy is concerned, please contact the relevant data Controller or contact us at email@example.com, and we will be happy to assist with your questions or requests.
11. Is encryption required by the GDPR?
No. The GDPR does not specifically require you to encrypt your data. The GDPR does not define specific security measures, however it does require organizations take technical and organizational security measures appropriate to certain risks. Encryption may be appropriate in certain cases, but not specifically mandatory by the GDPR in every instance.
12. Does EU data need to stay in the EU?
No, the GDPR does not require that EU personal data stay in the EU. However, Brand Embassy generally stores the personal data of EU citizens on data centers in the EU. Also, data transfers of personal data outside the European Economic Area (EEA) generally require that valid and appropriate safeguards are in place to protect the data once it leaves the EEA (Chapter V, Articles 44-50).
13. How does Brand Embassy ensure that its vendors comply with the GDPR?
Brand Embassy's security measures and GDPR readiness program include regular reviews of the compliance of vendors that handle personal data on Brand Embassy’s behalf.
14. Who can I contact if I still have questions about data security or GDPR compliance?
Please contact your account manager or contact us at firstname.lastname@example.org, and we will be happy to assist with your questions.