The General Data Protection Regulation (GDPR) is a regulation scheduled to be enacted on May 25, 2018. It is designed to protect the privacy and rights of EU citizens, no matter where they are in the world. If you do business in Europe, or have any contacts in your GreenRope CRM that are EU/EEA citizens, the GDPR applies to you. This means people who are citizens of the EU, UK, Norway, Iceland, and Liechtenstein must have the protections outlined in the GDPR whenever their personal data is stored or handled by any company in the world.
Note that this page is a high level description and is not intended as legal advice or counsel. For your own protection, we recommend you retain a legal expert who can review your company processes and advise you the best course of action to maintain compliance with GDPR.
There are two types of organizations that must prepare for GDPR, data controllers (likely you, a GreenRope customer and user of our platform) and data processors (us, GreenRope, because we are processing the data you put into the GreenRope CRM). Since our networks store your client data, we must provide the tools and resources to help you meet your obligations under GDPR as a data controller.
GDPR affects the storage, transfer, and use of personal data as it related to an identifiable individual person. These individuals are also referred to as data subjects in the context of the GDPR.
From the very beginning we have made protecting your data our highest priority and have committed to always ensuring only you have access to your data. In 2014, when the EU-US Safe Harbour and Swiss-US Safe Harbour programs were enacted, GreenRope committed to ensuring your privacy. In 2016, GreenRope was among the first companies to certify compliance with the new EU-US Privacy Shield and Swiss-US Privacy Shield programs. More information about this is available in our Privacy Policy, and we remain forever committed to protecting the data you trust us with.
Additionally, GreenRope undergoes regular audits and security testing to ensure our networks are secure. All connections you make to our networks are secured by SSL, using the latest encryption algorithms to ensure maximum protection for your data, both at rest and in transit.
Your data subjects are the contacts in your CRM, and if they are EU citizens, they have certain rights related to the processing of their personal information given to them by GDPR. By “processing”, the regulation means collecting, storing, and using that personal information. These rights can be summarized in a few key points:
GDPR encourages companies to practice data minimization, which means only collecting the minimum amount of personal information about any individual to allow you as a company to do your job to serve the customer. This is a subjective assessment of the data you collect, so that companies don’t just try to collect as much information as they can about someone for the sake of just keeping that data.
GDPR requires all data controllers and processors to take all reasonable steps to protect any and all personal information. This means protecting data backups with encryption, always using encrypted connections when transferring data, and limiting access to data to only those who need it.
GDPR sets a minimum of 16 years of age before an individual can provide content that a company can process that individual’s personal information. Some countries in the EU have lowered the age to 13, so be sure if you are asking younger people to provide information that you confirm their parents are providing the consent to do so.
GDPR requires that for a business to process data about data subjects (individuals), you have to satisfy at least one of six requirements: a) consent, b) contract, c) legal obligation, d) vital interest, e) public interest, and f) legitimate interest. Be sure you assess this for every point of data you collect about the contacts in your CRM. If you do collect information about contacts without their consent, be sure you have a good reason, such as for fraud protection or identity confirmation, or as a necessity to execute your contract with your clients. Your company privacy policy should address all of these data points and requirement(s) that apply to each.
Enforcement of GDPR is managed by the member nations, as they protect the rights of their citizens. The intent of the regulation is to have a dialogue with companies who are not complying, get them into compliance, and resolve issues quickly. The regulation does, however, include a fine for non-compliance of 20 million Euros or 4% of your company’s annual global revenue (whichever is greater).
If there is a data breach, GDPR requires the company responsible for the breach to inform data protection authorities in the countries where affected citizens had their data leaked. This must be done as soon as possible, but no later than 72 hours after discovery of the breach. There may be a requirement to inform the individual data subjects, as well.
There are some steps that you and your team will want to do as part of preparing for GDPR and ensure you are in compliance.
If you have any questions about GDPR and how we can help you meet the requirements of the regulation, please feel free to reach out to us any time. While we cannot provide official legal counsel, we can point you in the right direction and get you prepared to meet the requirements of the regulation.