What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU Regulation, related to protection of personal data due to take effect on 25th of May 2018. The goal of GDPR is to protect the rights of EU citizens to data privacy and to ensure transparency, security and accountability by data controllers and processors. Simply speaking it will give every EU citizen the right to know what, why, where and when their data is being used as well as a new right 'to be erased or forgotten’.
GDPR will expand on the already existing EU Data Protection Directive's eight principles:
- Obtain and process information fairly.
- The data must be kept for a specified, lawful purpose.
- The data should be used and disclosed only for the specified purpose.
- The data must be kept safe and secure.
- The data must be up to date, accurate and complete.
- The data must be relevant, adequate but not excessive.
- The date must be retained for no longer than is necessary.
- A copy of the data must be made available to the data subject, on request.
GDPR's main goal is to protect the rights of EU citizens to data privacy and to ensure transparency, security and accountability by data controllers and processors. (International Association of Privacy Professionals.)
Glossary of Terms
Data Subject - A person who lives in the EU.
Data Controller - An individual or organization who collects, stores, processes and decides what to do with personal data.
Data Processor - A individual or organization that processes personal data on the instructions of the Data Controller.
Data Processing - The carrying out of operations on data.
Data Protection Officer - The Data Protection Officer (DPO) is responsible for ensuring organizations are complying with GDPR requirements.
Personal Data - Any information relating to natural person directly or indirectly such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person.
Sensitive Data - Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person.
OnePageCRM's approach towards GDPR compliance
OnePageCRM’s dedicated team have reviewed and updated existing policies ahead of GDPR. As a data controller and data processor, OnePageCRM understands its responsibilities and worked with a dedicated Legal team to ensure we have correctly adhered to all the regulations and have taken the correct steps forward in implementation. We actively worked on the following steps:
Reviewed personal data & policies - We've reviewed all personal data stored within our application, expanded on our processes and policies that are currently in place and documented everything that is necessary.
Consent process - We've enhanced our process of obtaining and recording valid consent at every contact point. We will continue to ensure our customers data is well protected and privacy is at the core of our business.
Right to be forgotten - We implemented steps to fully erase personal details upon individual’s requests.
Security and Data transferability - Data security is at the core of OnePageCRM and we will continue to ensure the data transfer to and from our server and other cloud applications will remain secure and protected from unauthorized access.
FUTURE: Multi-server infrastructure - We are working on adding new servers in various geographical zones including EU. Keeping your data closer to your physical location will improve your connectivity, access speed as well as provide more reliable service. (This will be done in two phases; the first phase will be for new accounts and the second will be for existing customers).
How does GDPR affect OnePageCRM customers?
We have outlined a number of actions you should consider, however you must implement your own due diligence and comply with regulations on how you collect and use personal data.
- Review all personal data, existing privacy policies and put the necessary processes in place.
- Appoint a dedicated team and communicate the importance of GDPR with everyone involved in the organization.
- Put in place a procedure to respond to data subject requests for access, recification, objection, restriction, portability, and deletion (right to be forgotten).
- Implement appropriate security measures and processes to respond to any security breaches.
- Ensure a record is stored for all necessary data, consent forms, privacy policies and procedures, training materials, and data transfer agreements.
What happens if I don't comply?
In the case of a data breach, CRM users are treated as data controller and it's within your responsibility to notify the supervisory authority within 72 hours as well as in some cases, affected data subjects. If you fail to comply with GDPR rules, you could be penalized up to €20 million or 4% of annual turnover.
This website is to be used as a point of reference and is not providing legal advice for any company to use in laws such as GDPR. Instead, it provides information to help better understand how OnePageCRM is working to becoming GDPR compliant. It’s important you seek your own legal advice for your own specific business.