What is SilkStart doing about General Data Protection Regulation (GDPR)?
Optimizing data security and privacy has long been a focus of ours, which is why we’ve put together this document that details how our business is impacted by GDPR, what we’re doing about it and measures that you can take to ensure your organization is also compliant.
What is GDPR?
The European Union will begin enforcing a new set of regulations surrounding data, known as GDPR (General Data Protection Regulation). The GDPR regulates the collection and storage of personal data for EU residents (including UK residents), regardless of where the organization doing the collecting is located. In other words, GDPR impacts any organization that collects data from EU residents.
Before we start…
The GDPR distinguishes between two entities: Controllers, people or organizations that process or store personal data, and processors, people or organizations that process data on behalf of a controller. SilkStart is a processor, while our clients are controllers. Many of the rules of GDPR apply to both processors and controllers; therefore, compliance becomes a shared responsibility.
GDPR is only concerned about the personal data collection of European Residents. This means that GDPR only applies to users that access SilkStart from the EU, including the UK.
Data subjects are those whose personal data is being collected.
What is SilkStart doing to address GDPR?
We’ve thoroughly reviewed the GDPR compliance and put together this page to highlight steps SilkStart is taking to ensure we comply and how our clients can also achieve compliance.
What steps should your organization take to address GDPR?
1. Easy one, check if you currently store data for EU residents or that you have any areas online where you may collect data from EU residents
2. Read the GDPR compliance guide put out by the UK Information Commissioner’s Office (ICO)
3. GDPR requires that you document the following:
– Your purposes for processing personal data
– Where data is stored
– Your retention periods for that personal data
– Who it will be shared with
4. Review the software platforms your organization uses to ensure they are making strides towards compliance
5. Inspect your internal processes to see if they might be impacted by GDPR and, if so, get started on making the necessary changes
6. Communicate to your clients how your organization will be compliant prior to May 25th, 2018
GDPR Requirements that impact SilkStart
Consent Requirement
Data subjects must be given the opportunity to choose whether to consent to the processing of their personal data.
What we’re doing
SilkStart has created a customizable text field that administrators may add to all places where the SilkStart platform collects data. To learn how to enable this on your SilkStart website, see this article.
Withdrawal of Consent Requirement
Data subjects must have the ability to easily withdraw their consent to process their personal data.
What we’re doing
Two elements of this requirement lead us to our decision on how best to comply. The first is that a user may not have a login to SilkStart and therefore would not be able to indepentally withdraw consent. Second, the requirement is dependant on what the user originally consented to, which, as addressed above, depends on consent details put forth by the controller – the organization using SilkStart.
Given these two aspects of the requirement, we recommend clear communication to users that they can withdraw at anytime by contacting the organization directly, whereby an employee of the organization can satisfy the request on their behalf with help from SilkStart.
Right to Access Requirement and Data Portability
Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is being collected, where, and for what purpose. Further, the controller is required to provide, upon request, a copy of the personal data, free of charge, in an electronic format within 30 days of request.
What we’re doing
We will offer an export of the user’s data upon request provided that the user can successfully authenticate by logging in to their SilkStart account. If a user does not have a login, the alternative method for authentication is to have them prove access to the email account we have stored by opening a notification from SilkStart.
Right of Erasure
Data subjects have the right to request that the data controller erase his/her personal data, cease further dissemination of the data, and stop any third parties from processing of the data. There are conditions for erasure, including the data no longer being relevant, or a data subject withdrawing consent. In considering the request, controllers are required to compare the subject’s rights to “the public interest in the availability of the data”. This request must be satisfied within 30 days.
What we’re doing
SilkStart will implement a process for deleting a user’s information upon request by the organization. Similar to Right to Access, we will complete this action for users that can successfully authenticate by logging into their profile. If a user does not have a login, the alternative method for authentication is to have them prove access to the email account we have stored by opening a notification from SilkStart.
Notification of Breach
Data subjects must be notified of any data breach which is likely to “result in a risk for the rights and freedoms of individuals”, within 72 hours of first having become aware of the breach.
What we’re doing
SilkStart will satisfy this requirement in the event of a data breach. We’ll ensure that the controller is notified of the data breach, as well as the data subjects involved and what information was affected.
Data Protection Officer
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
What we’re doing
We have appointed a Data Protection Officer voluntarily. We say voluntarily because SilkStart does not satisfy any of the three criterion that would require us to assign a DPO. We’ve done so to make things easier internally and to provide a direct point of contact should a controller have inquiries regarding GDPR. You can reach our DPO at dpo@silkstart.com
FAQs for Your Organization and GDPR
When does this law take effect?
May 25th, 2018
What happens if I do not comply?
Organizations in breach of the GDPR can be fined up to 4% of their annual global revenue or €20 million (whichever is greater).
What if our organization doesn’t have any EU customers/members?
Your organization may still be impacted. If you potentially collect data from EU residents, whether that be a form on your website or other means, your organization is subject to GDPR.
Why can’t I just update my organization’s Privacy Policy?
Wouldn’t it be nice! Upon a thorough review of the GDPR compliance guide we found that the requirements of GDPR cannot be ratified by a user’s acceptance of a privacy policy. Consent must be given separate from the privacy policy. Ultimately, updating your privacy policy is only a part of the whole. This is a good place to include answers to:
– Your purposes for processing personal data
– Where data is stored
– Your retention periods for that personal data
– Who it will be shared with
My organization does not have a registered business in the EU, is my organization still impacted?
Yes. The GDPR regulates the collection and storage of personal data for EU residents (including UK residents), regardless of where the organization doing the collecting is located.
What is Canada doing to enforce GDPR?
As of now, you would not be held accountable for infringement by the Canadian government. The consequences would be handed down by the EU. There are differing opinions on how and to what extent. We recommend airing on the side of compliance. Further, it’s safe to assume that Canada will follow suit or, at the least, assist the EU with enforcement in future.
What is the United States doing to enforce GDPR?
As of now, you would not be held accountable for infringement by the US government. The consequences would be handed down by the EU. There are differing opinions on how and to what extent such penalties will be dealt. We recommend airing on the side of compliance. Further, it’s safe to assume that the US will follow suit or, at the least, assist the EU with enforcement in future.
What do I need to include in my request for consent?
Please review the checklist for consent on the ICO Compliance Guide: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/