The following information is not legal advice nor should it be considered legal advice. This information is meant to help you better understand GDPR and how Orbit is working to comply with the GDPR.
What is GDPR?
In short, the General Data Protection Regulation is a privacy law adopted by the European Union that regulates how businesses can collect, use and process the personal data of European Union citizens. The law went into effect on May 25, 2018.
Does GDPR affect me?
This law not only affects businesses based in the EU but this impacts any website or organization that processes the personal data of any EU citizen, no matter where your company is located.
If you ever collect, record, store, use or erase personal data from customers or contacts in the EU, then GDPR should be on your radar. If you have locations in the EU or sell products in the EU, you should be addressing GDPR compliance.
We are committed to becoming GDPR compliant by May 25, 2018.
We have implemented changes to agreements and policies to address our new responsibilities. Most importantly, we want to assist our clients in meeting some of their responsibilities under the GDPR.
What Orbit has done to become GDPR compliant
- Identified personal data that is being collected (contact form submissions, newsletter signups, comments on the Orbit blog)
- Enhanced data integrity and security with GDPR compliant forms
- Created new processes around portability and transferability of data
- Reviewed and revised all policies and agreements
What does this mean for Orbit clients?
If your website needs to be GDPR compliant, Orbit can offer assistance by:
- Conducting a site audit to identify where personal data is being collected
- Installing cookie notifications
We also recommend reviewing the website of the European Data Protection Supervisor, which provides a more comprehensive overview and steps you need to take to become GDPR compliant or seek legal counsel.
Before we go into more detail about GDPR, let’s define some of the key terms you will see when doing research about GDPR.
- Data Subject: The person who’s private data is being stored, collected, shared or dumped.
- Private and Personal Data: Any information that directly or indrectly identifies a living person. For example, account information, health information, age, gender, email address, birth date, address, IP address, etc…
- Data Controller: A Data Controller is a person or persons who determines how personal data is processed.
- Data Processor: A Data Processor is the person or persons that process that data on behalf of the controller.
- Obligations of the processors – GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller’s instructions.
- Data Protection Officer – Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
- Privacy Impact Assessments (PIA) – Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
- Breach notification – Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
What will change with the GDPR?
This law gives an individual the right to exercise complete authority over their personal data. Some of the rights in the regulation are:
- Explicit consent: Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
- Right to access: At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
- Right to be forgotten: The data subject can request the controller to remove their personal information from the controller’s systems.
- Data portability: The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
What happens if I’m not GDPR compliant?
According to the GDPR website:
“Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.”
Where can I learn more about GDPR?
Here is a list of resources that we used to educate ourselves about GDPR and GDPR compliancy. We have also included links to some of the tools that we are using on our own site.