The European Union’s General Data Protection Regulation (GPDR) kicks in later this month on May 25th. We have been preparing for it and wanted to share what we’ve been doing and what it means for you.
First, the GDPR makes a distinction between data Controllers and Processors. You, our users, are Data Controllers. You determine what personal information you want to collect and how and where it is stored and processed. That makes us the Data Processor. We store the personal data that you collect and allow you to search and retrieve it.
Responsibilities of the Data Controller
You, the user, is responsible for responding to EU individuals whose personal data you may be collecting:
- The right to access. Individuals for whom you have personal data have the right to request access to what you’ve collected and what you use it for. We have always had the ability to export all your contacts, and we’ve recently added the ability to export individual contact records as well.
- The right to be forgotten. If individuals in your Lead Zeppelin account are no longer customers, or withdraw consent for use of their data, you need to comply by deleting their records in our system. You also need to delete their information in other systems you might be using as well (i.e. Mailchimp), so doing an audit of all the systems you use would be helpful.
- The right to data portability. EU individuals have the right to transfer the data you’ve collected from them to another service provider, if applicable, in a commonly used readable format. We provide contact and individual exports in CSV format for this purpose.
- The right to be informed. If you are gathering personal information on EU individuals, they need to be made aware before gathering. They must freely opt in. That means if you have a “opt in” checkbox, it can’t be pre-checked. If you added someone’s email address under the premise they were going to get a certain report, you can’t begin to email them for unrelated offers.
- The right to restrict processing. Individuals can request that their data is not used for processing. We added Communication Preferences awhile back that can be used for this instance. You can turn off preferences for Email, Direct Mail and Phone Calls.
- The right to be notified. In the event of a data breach where personal data has been compromised, we are required to report it within 72 hours of first having become aware. That in turn, is your responsibility to inform the contacts in your Lead Zeppelin account. We are not fully aware of the data in your account, whether or not it includes personal information, but we will still promptly report any data breaches so you can respond accordingly to any affected contacts in your account.
Failure to comply with these new regulations concerning EU individual’s personal data can result in fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
How to Prepare
If you haven’t begun already, you might want to start, today, really.
- Organize your data. If you store personal data for your business, start by making a list of all the different places you’re collecting it. If someone requests to see what data you have on them, or to have their data deleted, you need to do it across the board.
- Clean up your data. After you’ve made a list of all the data you’re collecting and where you’re storing it (don’t forget backups!), go through and see if you really need to be saving or archiving all the personal data. Keep it lean, and just store what you need. Remember, you’ll need to explain if questioned what you’re collecting, what for, and for how long.
- Lock up your data. Make sure you have adequate backups and security wherever you’re collecting and processing personal data. We use US data centers with Rackspace and Dropbox that continually monitor and update their systems. However, you the controller, are ultimately responsible for EU personal data collected.
- Update Processes. Be sure you’re ready if and when a request comes in to have data exported or deleted. Have a method to confirm the requestor’s identity, as well as ensure data has been deleted across all your systems, if requested.
We will continue to post updates as we make changes before and after the GDPR deadline. If you have any questions, don’t hesitate to reach out.
Disclaimer: This information should be used for informational purposes only and is not intended as legal advice.