As this point you may be aware of the upcoming European Union (EU) privacy regulation called the General Data Protection Regulation (GDPR). This new regulation expands the rights of EU citizens to control how their personal data is collected and processed by third parties.
The GDPR comes into force May 25, 2018, and Cloze will be compliant before the deadline.
We have added several new features to make it easier for you to comply with the GDPR.
Does the GDPR apply to me?
Even if you are located in the United States or another country outside the EU, but work with clients in the EU, you will still need to comply with the GDPR.
The GDPR impacts how all businesses, regardless of the company’s location, collect, process, store and manage Personal Data of European Union citizens. This greatly expands the scope of the current EU legislation (the 1995 European Union Data Protection Directive), which only governs entities within the EU.
You may be also asking, what is “personal data”, and do I have any personal data about my customers?
The GDPR defines personal data as…
any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address, telephone number, mobile number or e-mail address, an identification number, location information, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
So by this definition the majority of information collected in day-to-day business activity whether from a lead form, a survey on your website or even a business card handed to you at a trade show is considered personal information.
Do I need to comply?
Of course every business situation is different so you should consult with your lawyer and other counsel regarding your compliance obligations.
But, if your company is based in the EU or is processing the personal data of EU citizens, the GDPR will apply to you. If you are not based in the EU, but have any personal data from EU citizens you will also need to comply. Even if you receive an occasional inquiry through your website from an EU citizen, and you simply store their email address from the lead form, you will need to comply with the GDPR.
What happens if you do not comply?
Simply put, non-compliance with the GDPR can result in very large financial penalties. Businesses of all sizes will need to comply with the GDPR.
Controller vs. Processor, what’s the difference?
Two terms you will hear about as you prepare for GDPR compliance are “Controller” and “Processor”. Generally speaking you and your business can be both a Controller and Processor of different types of personal information. Let’s take a look at the definitions.
Following the definition below, the people you store in Cloze are under your control. So for the purposes of the GDPR you are the Controller and Cloze is the Processor.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
As the Controller you will need what is called Lawful Basis for the processing of personal information of EU citizens. These are found in Article 6 of the GDPR and excerpted below:
- Consent – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Contract – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Legal Obligation – processing is necessary for compliance with a legal obligation to which the controller is subject
- Vital Interests – processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Public Task – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Legitimate Interests – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Just like you will need Lawful basis for processing of EU citizen personal information, Cloze serves as the Controller for personal information we collect about you (if you are an EU citizen user of our product, Cloze, and our associated websites and mobile apps) in order for us to deliver our service to you. For example your Cloze username and password are considered personal information that Cloze controls and is necessary for us to perform our contractual obligation.
We will only collect and process Personal Information about you where we have a lawful basis.
As your Processor, Cloze processes the personal data you have acquired:
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
You will need to document your Legal Basis for processing personal information of EU citizens. In some cases, if you don’t already have the the proper Legal Basis you will need to acquire it through direct outreach and then document it.
Please keep reading to learn more about our new features to help you with this effort.
Cloze can help you comply with the GDPR
The GDPR affords your EU citizen clients and potential clients many rights including, but not limited to:
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
Cloze provides you with the tools you need in order to be compliant with the GDPR and to handle these types of requests. In general, your customers will contact you (for example to get you to remove information, get a copy of it, etc.) and you will then use the features of Cloze to comply with their requests:
- Update your email signature – You can customize your Cloze signature and template to include any terms you need related to privacy, right to be forgotten, etc.
- Permanently delete contact information if requested – You can delete specific contact information in Cloze and, once deleted, it’s permanently gone. Or delete an entire contact as well.
- Export a history of your activity with a person if requested – You can generate a log of what messages you have related to a person (for example what emails and calls you’ve exchanged)
- New GDPR Compliance Features – We have also added additional capabilities for managing “do not contact” lists, and tracking of GDPR lawful basis:
- Enable enforcement of Do Not Contact for anyone that has no Lawful Basis set
- Enable the “Do Not Contact” Custom Field to track your opt-outs
- Enable the “Lawful Basis” Custom Field
- Smart links, to unsubscribe or acquire consent, that you can include in your email signatures and templates, and which automatically linked to these custom fields.
What we’re working on now to prepare for the deadline
As we approach the May 25, 2018 deadline we are working hard to ensure our documentation, internal processes and security protections meet or exceed the guidelines outlined by GDPR. Over the coming days you will see more updates and new features to assist you in meeting your obligations under GDPR.
Privacy Shield and Transfers Outside the EU
The GDPR puts special restrictions on personal data that’s transferred outside the EU, in order to ensure it’s adequately protected.
Privacy Shield allows US companies (like Cloze), or EU companies working with US companies, to meet these requirements of the GDPR.
We plan to be Privacy Shield certified by the date the GDPR regulations come into force. So your data will be safe with Cloze, and your use of Cloze will be compliant with GDPR and other EU data protection laws.
More features are in the works to help you comply with GDPR
- One-tap ways to share contact information with people that request it
- Clean-up tools to make deleting old information fast and easy
- Opt-out integration with MailChimp
A final thought
One last note, I’m not a lawyer, so this is not considered legal advice and it’s only meant to help guide your compliance. Please consult your own attorney for advice related to your specific business.