Note: The content presented in this page is not to be construed as legal advice. If you are concern about the impact GDPR has on your business, please contact your legal adviser to learn what your business specifically needs to do to comply with GDPR.
What is GDPR?
The European Union (EU)’s General Data Protection Regulation (GDPR) is a regulation that came into effect on the 25th of May, 2018. It aims to harmonize the data privacy laws across the EU, and (in particular) protect the rights of residents of the EU with regard to the processing of their personal data. It recognizes the data privacy rights of EU residents, and lays down rules relating to the processing of their personal data.
GDPR aims to give EU residents full control over their personal data.
What is personal data?
In the context of GDPR, personal data is any data that can directly or indirectly help identify a natural person. This includes, but is not limited to: name, address, phone number, email address, IP address, photos etc.
When and where does GDPR come into play?
GDPR applies to any activity that collects or processes the personal data of EU residents. It does not matter if the said activity takes place inside the EU or not. GDPR has a global reach.
Why be GDPR compliant?
EU’s GDPR is legally binding. The concerned Supervisory Authority (as defined by GDPR), may fine the non-compliant person or organization up to 20 million Euros or 4% of their annual worldwide turnover from the preceding year, whichever is higher. Levying a fine is in place for two reasons:
- A deterrent, so that Data Controllers and Data Processors act responsibly, and adhere to GDPR’s guidelines
- A compensation for people who have suffered material or non-material damage as a result of an infringement of GDPR
Key roles that GDPR identifies
- Data Subject: A resident of the EU from whom, or about whom, data is collected and/or processed
- Data Controller: The person or organization that defines the purpose and means of collecting and processing data
- Data Processor: The person or organization that processes the collected data on behalf of the Data Controller
Which am I?
The following occurs when you sign up and star using And You.
- When you sign up and Subscribe to use And You services:
- You are the Data Subject
- And You is as the Data Controller
- When you use And You to collect data:
- The people that you collect data about are the Data Subjects
- You act as the Data Controller.
- And You acts as the Data Processor
And You GDPR readiness
Addressing the rights of Data Subjects
The following are the Data Subject Rights that GDPR identifies, and how And You helps you address them.
The Main requirements are:
- 1. Request Consent: GDPR requires that users give explicit consent before submitting personal data.
- 2. Right to Access: Provide a way for users to request access to, and view the data you have collected from them.
- 3. Right to be Forgotten: Give users a way to withdraw consent and delete personal data collected from them.
How to Comply using And You
1. Request Consent
When using And You your data collection form will be set up to request consent from the person subscribing to your email / newsletter. A required checkbox with a label/option that says something like “I give consent to Your ‘Company Name’ to collect and use my details via this form…” is added. As a result, the subscribe form will only submit once the checkbox is checked and your subscriber has given consent.
2. Right to Access
Your subscribers have access to their subscriptions and profile on the Manage Subscriptions page which is prominently on your Any You site.
3. Right to be Forgotten
A “Delete Account” button is visible on the Manage Subscriptions page for subscribers to delete their subscriber account completely.
If you previously gained consent from your subscribers in a way that complies with the GDPR, you don’t need to re-obtain consent from them.
You can however re-obtain consent with the following steps:
- Create a new mailing list.
- Create a newsletter.
- In the newsletter, put a
- Your subscribers can now confirm and give consent to your new mailing list.
- Use your new mailing list with confirmed subscribers to send newsletters to.
Implementing Best Practices
You can use And You forms features to implement some best GDPR practices:
- Denote fields that contain personal data – define if the concerned field is one in which your users will be entering some personal data.
- Getting consent: Data Subjects have a right to be informed on why you are collecting data, and how it will be processed. As a Data Controller you need to show if your users gave their consent for this. Here’s how you do it:
- If consent is required along with the data a form is already collecting, then add notes field (which will display information on why you need to collect certain data points, and how this data will be processed), and a decision box field (marked mandatory) that lets your users give their consent
- To let your users know what they consented to, you can send them an email saying they’ve given their consent (and copy-paste the add notes field’s content in the email’s message)
- Provision a double opt-in mechanism for your form: Double opt-in is a widely used mechanism to get the user to confirm their subscription before sending them emails or newsletters.
- And You captures IP addresses so you should alert potential subscribers of this on your subscribe form and include it in their consent.