updated 9 Feb 2018
Disclaimer: While we hope to cover some of the legal precedents discussed under GDPR, this is by no means a full overview of all policies. If you’d like to learn more about the new GDPR regulations, you can check out the full text here. CustomerGauge, in accordance with these policies, will update procedures and Privacy Policies to ensure compliance. Below we distinguish the role of CustomerGauge as a data controller and a data processor.
General Data Protection Regulation (GDPR) is a new EU regulation that extends the protections of personal data for European Union citizens from the 1995 EU Data Protection Directive. As part of these protections, organizations have new obligations when collecting or processing personal data, which will come into effect on May 25th, 2018.
CustomerGauge will provide all the necessary protections for data controllers (our customers) in handling their contacts and needs. Below we address some of the other most important changes coming from GDPR.
CustomerGauge’ product team has been busy developing new features to support our customers journey to compliance. These new features mainly concern the “Right to withdraw consent”. Previously, once a data subject had given consent it could not be withdrawn. Now, a data subject can contact the data controller to withdraw their consent and the data controller can use the CustomerGauge platform to delete the personal data of the data subject.
It’s important to remember that for our customers, CustomerGauge is the data processor and it is the responsibility of the data controller (our client) to supervise the deletions: either by deleting directly, or instruct us to do it (we reserve the right to charge for volume).
All CustomerGauge third-party partners are also taking the same necessary steps to ensure GDPR compliance is followed.
Current platform users can refer to the documentation provided on our Support page for further details on these features.
CustomerGauge will provide all the necessary protections for our data subjects. Below we address some of the other most important changes coming from GDPR.
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider because it will also apply to non-EU businesses who either market their products to people in the EU or who monitor the behavior of people in the EU. With an internationally presence, CustomerGauge will take all the necessary precautions to ensure we protect customers and prospective customers in compliance with the new policies and procedures handed down by GDPR.
Whenever a data subject submits their personal information to a data controller, they need to ensure they do so with consent and understanding. GDPR has introduced new standards for what this type of consent entails, which calls for consent that is “freely given, specific, informed and unambiguous.” This means that data controllers must give clear language, meaning previous “opt-out” via silence or automatic check marks will not be allowed and must be replaced by a “statement or a clear affirmative action.”
Right to Withdraw Consent and Data Portability
Two new GDPR rules make it easier for users to remove stored information from data controller databases or to demand a copy of their stored information from processors.
The right to withdraw consent requires data controllers to remove data subjects' personal data. If this data is held by a data processor, then the processor must ensure the data controller can perform this action. The right to data portability allows the demand of any information stored about a data subject to be handed over in a common copy format.
Right to Access Data
GDPR enhances previous rights of data subjects (who always had the right to access data). Data controllers can no longer charge data subjects for accessing their data. Though there are some circumstances where organizations can refuse a data access request, refusal policies must be clearly spelled out and data controllers must prove if a request meets the refusal policy criteria spelled out.
Data Privacy Impact Assessment (DPIA)
The new DPIA stipulation concerns building data privacy “by design”. This means that a company must assess how any new projects, technologies or initiatives, may impact the privacy of individuals to ensure preemptive changes to avoid potential privacy issues.
Data Privacy Officer (DPO)
CustomerGauge has a DPO in place to ensure all compliance efforts are made in accord with GDPR. The DPO typically deals with activities that involve processing personal data on a large scale and are helpful in overseeing how vendors’ security practices comply with GDPR or to inform third-party vendors of any data subject requests.
Data controllers must have the ability to demonstrate GDPR compliance to local supervising authorities (the central point of enforcement for DPO’s to contact). Policies must be documented, appropriate measures taken and procedures updated in accordance with the newest GDPR laws.
Updating Privacy Documentation
Data controllers must review and update their privacy statements, internal data policies, and privacy notices so that they meet GDPR standards. CustomerGauge will ensure all documentation meets the necessary GDPR requirements.
Under new GDPR guidelines, data controllers must notify their country’s supervisory authority of data breaches with 72 hours of finding (unless the data is encrypted or anonymized).
Penalties for Non-Compliance
Data controllers who fail to comply with the guidelines of the GDPR scope will face heavy penalties. Those data controllers, depending on the type of violation, who mishandle data or violate a data subject’s rights, as handed down by GDPR, could face fines of 4% of their global annual review or €20 million.
If you have any additional questions regarding CustomerGauge’s GDPR compliance or privacy policies, please reach out to firstname.lastname@example.org.