The General data protection regulation
The EU’s new data privacy law, the General Data Protection Regulation, goes into effect on May 25, 2018 and applies not only to EU-based organizations, but also to anyone who has customers or contacts in the EU.
We are actively preparing our business and compliance processes for the GDPR to take effect, and this guide is intended to help our customers do the same. Please note that this guide is for informational purposes only and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
What and Who
The GDPR is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018. It regulates how any organization that is subject to the Regulation treats or uses the personal data of people located in the EU. Personal data is any piece of data that, used alone or with other data, could identify a person. If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR.
The GDPR will replace an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect Botdoc users.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.
Who does it affect?
The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
There are a few definitions that will aid the understanding of the GDPR’s broad scope.
What is considered “personal data”?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more.
Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your Botdoc account.
What does it mean to “process” data?
Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your Botdoc accounts contain the email address, name, or other personal data of any EU citizen, then you are processing EU personal data under the GDPR.
Do you need to comply with the GDPR?
You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you. Even if all that you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you.
Data Controllers and Data Processors
GDPR carries over the concepts of data controllers and data processors from the Directive. Similar to the Directive, data controllers and data processors have different obligations under GDPR. Therefore, it’s important to understand whether you’re acting as a data controller or a data processor in relation to the various categories of personal data you process.
WHO IS A DATA CONTROLLER?
GDPR defines a data controller as “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In other words, if your organization processes personal data for your own organization’s purposes and needs—not merely as a service provider acting on behalf of another organization—then you are likely to be a data controller.
When Botdoc processes your Customer Account Data, meaning you have created an account, the Botdoc entity with whom you are contracting is acting as a controller.
WHO IS A DATA PROCESSOR?
Businesses or organizations that process personal data solely on behalf of, and as directed by, data controllers are data processors. In other words, when a data controller outsources a data processing function to another entity, that other entity is generally a data processor.
When our customers use our Services, we process and store certain information on their behalf as a data processor. For example, when a customer (or the customer’s Authorized Users) uploads or downloads files or other documents for review we act primarily as a data processor and process information on the customer’s behalf and in accordance with their instructions. In those instances, the customer as the data controller is responsible for most aspects of the processing of the information.
Will Botdoc comply with the GDPR?
Botdoc is excited about the GDPR and the strong data privacy and security principles that it emphasizes, many of which Botdoc instituted long before the GDPR was enacted. At Botdoc, we believe that the GDPR is an important milestone in the data privacy landscape, and we are committed to achieving compliance with the GDPR on or before May 25, 2018.
Botdoc’s GDPR preparation started more than a year ago, and as part of this process we are reviewing (and updating where necessary) all of our internal processes, procedures, data systems, and documentation to ensure that we are ready when the GDPR goes into effect. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users. We are, among other things:
- Updating our Data Processing Addendum to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to Botdoc and permit Botdoc to continue to lawfully receive and process that data;
- Updating our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data;
- Analyzing all of our current features to determine whether any improvements or additions can be made to make them more efficient for those user’s subject to the GDPR;
- Evaluating potential new GDPR-friendly features to add to our application.
Botdoc has self-certified to both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield regimes, and lawfully transfers EU/EEA personal data to the U.S. pursuant to our Privacy Shield Certification. We also complete a SOC II Type 2 examination on an annual basis for the Trust Principal Criteria of Security, Processing Integrity, Confidentiality, and Availability.
DATA SUBJECTS’ RIGHTS
In addition, we will be prepared to address any requests made by our customers related to their expanded individual rights under the GDPR:
Right of Access As noted above under the principle of “lawfulness, fairness, and transparency,” data processing must be transparent. Hand in hand with that, data subjects have a “right of access” to obtain from a controller a copy of their personal data being processed, as well as information about that processing, such as how and why their personal data is processed, how long it will be processed, and whom it has been shared with (see Article 15).
Right to Rectification Data subjects have a right to ask a controller to rectify inaccurate personal data about them being processed by an organization. And, in appropriate circumstances, data subjects have a right to complete any incomplete personal data about them (see Article 16).
Right to Be Forgotten The right to be forgotten, though implied under the Directive, is now clearly codified in GDPR in Article 17. Data subjects generally have a right to request that a controller erase their personal data.
Right to Restriction of Processing Similar to the right to be forgotten, data subjects have a right to request that a controller restrict processing of their personal data (see Article 18).
Right to Data Portability GDPR introduces a new data subject right: the right to data portability. This right requires controllers to make it easy for data subjects to take their personal data with them to another organization. In other words, they should be able to take their personal data out of one business’s system and move it to another business’s system (see Article 20).
Right to Object Controllers whose lawful grounds for processing personal data are legitimate business purposes (see the first principles of data protection, above) must allow data subjects a right to object to the processing of their data. The data subject’s wishes must be respected, unless the business has a more compelling interest in processing the personal data than the data subject’s interests in not having their data processed (see Article 21).
A common scenario where this comes up is in the context of marketing communications. When a data subject objects to their personal data being used for direct marketing purposes, their wishes must be respected. A data subject’s interest in not being marketed to is more compelling than your interest in marketing to him or her. Further, no later than the very first marketing communication with a data subject, they must be made aware of their right to object to further use of their personal data for these purposes.
Right to Object to Automated Decision making When it comes to decisions that could have a legal, or otherwise significant impact, GDPR gives data subjects the right to insist that a human be involved in that decision-making process. In particular, GDPR says data subjects have the right “not be subject to a decision based solely on an automated process, including profiling” (see Article 22). The data subject’s wishes must be respected, unless the business has a more compelling interest in processing the personal data than the data subject’s interests in not having their data processed (see Article 21).
It is worth noting that nearly all of the above data subject rights are not absolute. For example, there may be situations where your business may have a greater interest in not erasing certain personal data than a data subject has in asking you to erase it. Therefore, if any of the rights described above cause you concern, it is worth further investigation into the nuances of the law relating to that right to make sure you fully understand your obligations.
You need to have a legal basis, like consent, to process an EU citizen’s personal data. Under the GDPR, you may use another legal basis for processing personal data, but we anticipate that many Botdoc users will rely on consent. This consent must be specific and verifiable.
Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-checked consent boxes.
About Individual Rights
The GDPR also outlines the rights of individuals around their personal data. EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data. You should be prepared to support people’s requests in a timely manner. People have the right to request their personal data be corrected, provided to them, prohibited for certain uses, or removed completely.
You should also be able to tell someone among other things, how their personal data is being used. If they ask, you’re obligated to share the personal data you hold on an individual or offer a way for them to access it.
GDPR represents a significant update to the provisions of the Data Protection Directive in an effort to provide appropriate protections for data subjects with respect to how organizations process, transfer, store, and protect the enormous amount of personal data being processed in this new digital world. Therefore, it is important that when your organization selects a product or software, your selection entails consideration of these new compliance obligations.
While there is still some ambiguity as to how these provisions will be enforced and interpreted once this measure takes full effect in May 2018, data privacy considerations and conversations around processing of personal data should not be delayed.
We hope this information provides you with insights for taking a proactive approach to data protection.