GDPR compliance at ReSci
The General Data Protection Regulation (GDPR), which will be enforceable on May 25th, 2018, is a regulation from the European Parliament, the Council of the European Union and the European Commission that attempts to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. When the GDPR takes effect, it will replace the data protection directive of 1995.
This post will address how ReSci is compliant with the GDPR. Please note that this post is for informational purposes only, and should not be used for legal advice. We at ReSci encourage you to work with legal counsel to determine precisely how the GDPR might impact your business. The GDPR website also has good FAQs, which covers who it affects, changes, penalties, and more.
ReSci already takes great measures to protect your data. The GDPR adds some new privacy protections for individuals within the EU:
- Expansion of scope: The GDPR applies to all organizations established in the EU or processing data of EU citizens
- Expansion of definitions of personal and sensitive data: any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual.
- Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including:
- Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
- Right to object: An individual may prohibit certain data uses.
- Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Right of access: Individuals have the right to know what data about them is being processed and how.
- Right of portability: Individuals may request that personal data held by one organization be transported to another.
- Stricter consent requirements: You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. Keep in mind that:
- Consent must be specific to distinct purposes.
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
- Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller
- Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”
How does ReSci help you comply with the GDPR?
The below will cover both explicit ways that ReSci complies, as well as best practices for how you pass over data and use our platform.
- GDPR user rights
- Right to be forgotten: You may delete individual subscribers upon their request at any time.
- Right to object: You may opt out of inclusion of your subscribers in communication types (or simply unsubscribe them or delete them)
- Right to rectification: You may update your subscribers within your ReSci account to correct or complete subscriber/contact information upon their request at any time.
- Right of access: You may access your subscribers’ data within your ReSci account upon their request at any time.
- Right of portability: You may export any of your lists of subscribers in CSV format at any time
- Email capture forms: For any information you collect via your forms on your website or app, it is your responsibility to ensure that you obtain consent from your customers and contacts to send their information to ReSci for processing. You should ensure that all of your pop-up windows, forms, etc. include language that provides this consent.
- Unsubscribing: Please ensure that all email templates in your ReSci account include unsubscribe links, and test the links to ensure they work. If you are passing unsubscribe information via imports, please test these imports regularly and check counts within our application. You may also unsubscribe users individually in our UI if you have access to our Microscope feature.
- You should also ensure that you are keeping accurate records, especially of your subscribers’ and contacts’ consent permitting you to send them marketing emails, store and use their personal data, and any other processing activities. ReSci can help you obtain proof of consent and will store a record of the date of your subscribers’ signup, as well as date of their removal of consent. We recommend consulting with legal counsel to determine if consents obtained prior to the GDPR comply with its requirements, or whether you should instead contact your
subscribers and contacts to re-request consent in accordance with the GDPR requirements, or rely on a different lawful basis for your processing under the GDPR.
- You should review any ReSci integrations or add-ons that you are using (or plan to use), and any terms associated with those, to ensure that you have adequately disclosed potential data processing activities associated with your use of those services to your subscribers and contacts.
- You may want to consider updating your privacy statement to include language that specifically identifies ReSci as one of your processors and delineates the applicable processing activities performed by ReSci, such as the collection (e.g., via sign-up forms) and storage and processing of personal data, and the transfer of personal data for your own purposes (e.g., reporting).