What’s GDPR & Who’s Affected?
On May 25th, 2018, the General Data Protection Regulation (GDPR) will enter into effect in the European Union. The new privacy laws will have a fundamental impact on how organizations handle data.
The GDPR replaces the previous EU Data Protection Directive with the intention of modernizing data privacy laws across Europe. Online surveys, which are at the forefront of any consumer, market, or employee research, also need to be made compliant with the updated regulations. However, GDPR applies to more than just market research organizations and reaches far beyond Europe.
If any part of your individual or organizational processes EU citizens data, regardless of whether that processing occurs inside or outside of the EU, then the GDPR applies to you. Storing any personally identifiable data within those categories is considered a processing activity and requires GDPR compliance.
Principles of the GDPR
The GDPR is more than just checking boxes to avoid a high-dollar fine. The principles of the GDPR are written with the notion of changing how we perceive and treat personal data. The major principles under Article 5 of the GDPR include:
Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimization: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the GDPR
Key Requirements of the GDPR
In preparation for the GDPR, AYTM has taken great strides to ensure we satisfy the following key requirements:
Personal Data: any information related to a natural person or data subject that can be used to directly or indirectly identify the person is classified as ‘personal data’. Some examples of personal data include email addresses, photos, medical information, phone numbers, a device IP address or a mobile device ID.
Lawfulness of Processing: the Article 6 of the GDPR requires that in order for AYTM to process a personal data, at least one of the following conditions must be met:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes (explicit consent);
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person (i.e. medical data);
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (i.e. population census).
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
If none of the above applies, the personal data should not be collected or processed.
Data Collector and Data Processor: there are two entities defined in the GDPR; data controllers and data processors. Data controllers determine the purposes, conditions and means of the processing of personal data. In some scenarios, AYTM clients will act as co-controllers. For instance, when you launch a List Survey where you wish to have its URL open to respondents with an EU IP address or you request a Panel Survey targeting respondents in an EU country, you act with AYTM as a co-controller of any personally identifiable information collected from those respondents. Data processor is an entity that processes personal data on behalf of the controller. Because processors may, in turn, use other data processors the GDPR requires processors and sub-processors to enter into a Data Processing Agreement (DPA). AYTM has a standard GDPR compliant Data Processing Agreement that has been distributed accordingly. If you have any inquiries regarding our DPA, please contact email@example.com
Data breach notification: should a data breach occur, AYTM will react in accordance with the GDPR regulations by sending a notification to the supervisory authority within 72 hours of becoming knowledgeable about the breach.
Data Subjects under the age of 16: AYTM now requires parental consent to process the personal data of children under the age of 16, residing in EU for online services.
Data Protection Manager: Our Director of Client Services, Ariel Hagaman, has taken on the role of managing organizational data protection and overseeing GDPR compliance in Data Protection. If you have any questions please contact firstname.lastname@example.org where Ariel Hagaman will be the main point of contact.
This blog was created to provide a high-level, general understanding of GDPR in relation to AYTM. This should by no means be considered or used as a substitute for legal advice. AYTM does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.