What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework setting guidelines for collection and processing of personal information of individuals within the European Union (EU). The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
If your customers include EU citizens, then you will have an obligation to comply with GDPR even if you are outside the zone yourself.
Types of Data Responsibilities
The extent of EU law applies to 2 groups of parties:
- Data Controllers
- Data Processors
Your organisation is the data controller and the Pathfinder organisation is the data processor.
A data controller is the person (or business) who is responsible for the keeping and use of personal information and determines and controls the purposes for which, and the way in which, personal data is processed.
In brief, you need to ensure the data you collect is;
- Adequate, relevant, and limited to what is necessary
- Deleted after a reasonable period of non-use
- Opted-in. Your customers need to clearly opt-in to cookies upon first use of your site (and after any additional tracking or data is collected from them)
- Not collected at all if the customer exercises their 'right to object'
- Available for the customer to see, and take to another service, within a certain time frame if they submit a 'Subject Access Request' to you
- Erased, within a certain time frame, if the user submits a 'Right to erase'
As data controller, you’ll be subject to a number of requirements under EU law, for example, you must also:
- Notify the relevant national authority before carrying out any data processing. Register with the ICO (information commissioner’s office) for UK companies.
- Implement technical and organizational measures to protect personal data against accidental loss/destruction, unauthorized access or other unlawful processing. This includes the territories you store data, which staff have access to it.
- Ensure data protection and confidentiality clauses are included in employment contracts and for agreements with any contractors.
You may also be a data processor, which has additional responsibilities (unrelated to the Pathfinder system). CustomSell Ltd is the data processor for the Pathfinder system and complies with the requirements.
This is a wide reaching and important obligation. You should ensure you receive expert advice from your legal counsel or by a data protection audit firm.
Click to see how you can enforce data protection in Pathfinder.