updated 23 May 2018
What is GDPR?
General Data Protection Regulation (GDPR) is a new EU regulation that extends the protections of personal data for European Union citizens from the 1995 EU Data Protection Directive. As part of these protections, organizations have new obligations when collecting or processing personal data, which will come into effect on May 25th, 2018.
How CustomerGauge Addresses the Most Important Changes of GDPR as a Data Processor
CustomerGauge has provided all the necessary protections for data controllers (our customers) in handling their contacts and needs. Below we address some of the other most important changes coming from GDPR.
CustomerGauge’ product team has developed new features to support our customers journey to compliance. These new features mainly concern the “Right to withdraw consent”. Previously, once a data subject had given consent it could not be withdrawn. Now, a data subject can contact the data controller to withdraw their consent and the data controller can use the CustomerGauge platform to delete the personal data of the data subject.
It’s important to remember that for our customers, CustomerGauge is the Data Processor and it is the responsibility of the Data Controller (our client) to supervise the deletions: either by deleting directly, or instruct us to do it (we reserve the right to charge for volume).
All CustomerGauge third-party partners and sub-processors have also taken the same necessary steps to ensure GDPR compliance is followed.
Current platform users can refer to the documentation provided on our Support page for further details on these features.
How CustomerGauge handles GDPR rules as a Data Controller
CustomerGauge provides all the necessary protections for our data subjects. Below we address some of the other most important changes that came from GDPR (in effect from 25 May 2018).
While the previous EU legislation (the 1995 EU Data Protection Directive) governed entities within the EU, the territorial scope of the GDPR is far wider because it applies to non-EU businesses who either market their products to people in the EU or who monitor the behavior of people in the EU. With an internationally presence, CustomerGauge has taken all the necessary precautions to ensure we protect customers and prospective customers in compliance with the policies and procedures handed down by GDPR.
Whenever a data subject submits their personal information to a data controller, they need to ensure they do so with consent and understanding. GDPR has introduced new standards for what this type of consent entails, which calls for consent that is “freely given, specific, informed and unambiguous.” This means that data controllers must give clear language, meaning previous “opt-out” via silence or automatic check marks will not be allowed and must be replaced by a “statement or a clear affirmative action.”
Right to Withdraw Consent and Data Portability
Two new GDPR rules make it easier for users to remove stored information from data controller databases or to demand a copy of their stored information from processors.
The right to withdraw consent requires data controllers to remove data subjects' personal data. If this data is held by a data processor, then the processor must ensure the data controller can perform this action. The right to data portability allows the demand of any information stored about a data subject to be handed over in a common copy format.
Right to Access Data
GDPR enhances previous rights of data subjects (who always had the right to access data). Data controllers can no longer charge data subjects for accessing their data. Though there are some circumstances where organizations can refuse a data access request, refusal policies must be clearly spelled out and data controllers must prove if a request meets the refusal policy criteria spelled out.
Data Privacy Impact Assessment (DPIA)
The new DPIA stipulation concerns building data privacy “by design”. This means that a company must assess how any new projects, technologies or initiatives, may impact the privacy of individuals to ensure preemptive changes to avoid potential privacy issues.
Data Privacy Officer (DPO)
CustomerGauge has a DPO in place to ensure all compliance efforts are made in accord with GDPR. The DPO typically deals with activities that involve processing personal data on a large scale and are helpful in overseeing how vendors’ security practices comply with GDPR or to inform third-party vendors of any data subject requests.
Data controllers must have the ability to demonstrate GDPR compliance to local supervising authorities (the central point of enforcement for DPO’s to contact). Policies must be documented, appropriate measures taken and procedures updated in accordance with the newest GDPR laws.
Updating Privacy Documentation
Data controllers must review and update their privacy statements, internal data policies, and privacy notices so that they meet GDPR standards. CustomerGauge will continue to ensure all documentation meets the necessary GDPR requirements.
Under new GDPR guidelines, data controllers must notify their country’s supervisory authority of data breaches with 72 hours of finding (unless the data is encrypted or anonymized).
Penalties for Non-Compliance
Data controllers who fail to comply with the guidelines of the GDPR scope will face heavy penalties. Those data controllers, depending on the type of violation, who mishandle data or violate a data subject’s rights, as handed down by GDPR, could face fines of 4% of their global annual review or €20 million.
If you have any additional questions regarding CustomerGauge’s GDPR compliance or privacy policies, please reach out to firstname.lastname@example.org.