In October 2015, the European Union and United States Safe Harbor provisions that many companies relied upon for the transfer of digital information between the United States and the European Union were ruled to be invalid by the European Court of Justice. The European Union General Data Protection Regulation (GDPR) was summarily put in place. The European Union began enforcing these regulations as of 25 May 2018. This article will detail how SharpSpring protects the information and data of European Union and European Economic Area (EU/EEA) customers and how SharpSpring is in full compliance of the GDPR. This article does not require action.
- European Union General Data Protection Regulation Compliance
- Why the GDPR Impacts SharpSpring and Customers
- How SharpSpring is Preparing for the GDPR
- Penalties for Violating the GDPR
- Rights and Protections Overview
- Data Protection Officers Overview
- Ready to Learn More?
European Union General Data Protection Regulation Compliance
Previously, the Data Protection Directive (officially Directive 95/46/EC) was what SharpSpring and other organizations followed. The Data Protection Directive dealt with the protection of individuals with regard to the processing and free movement of personal data. This was a European Union directive that was adopted in 1995, and it regulated the processing of personal data within the European Union. Under this directive, personal data was only able to be transferred to countries outside the European Union if that organization provided an adequate level of protection.
This directive was repealed and replaced with the European Union General Data Protection Regulation (GDPR). The GDPR is a law which expands on original European Union data laws. The law was enacted 27 April 2016, and was implemented 25 May 2018. As such, SharpSpring has and continues to make strides to ensure total compliance.
As the Data Protection Directive was a directive and not a regulation, it did not have full legislative backing. The GDPR is a regulation, and it has the full legislative and legal backing provided by the European Union.
Why the GDPR Impacts SharpSpring and Customers
The GDPR impacts organizations and individuals in similar ways. There are several important differences to consider, however.
SharpSpring, as well as all marketing automation providers that have European Union customers, are impacted by the GDPR. These new regulations are meant to regulate the flow, procurement, and use of data between data controllers and data processors. Article Four of the GDPR states the following:
- Data controllers are those entities that determine the means and purpose of processing personal data.
- Data processors are entities and organizations that process personal data on behalf of the data controller.
The GDPR impacts organizations that fulfill at least one of the following situations:
- The organization is based in the European Union and controls or processes personal data for EU/EEA individuals (also known in this capacity as data subjects).
- The organization controls or processes personal data for EU/EEA individuals.
As stated, the GDPR applies not only to organizations within the European Union, but also to customers or organizations located outside of the European Union if they interact with EU/EEA individuals. This interaction includes standard goods or services, or the more modern monitoring of data and the behavior of individuals. As such, the GDPR applies to all organizations, entities, and companies processing and holding the personal data of individuals residing in the European Union, regardless of where the organization, entity, or company is located. For more information, refer to the Recommended Customer Actions section of How the GDPR Impacts SharpSpring and You.
How SharpSpring is Preparing for the GDPR
SharpSpring updated terms, privacy policies, software, and infrastructure to be in full compliance with the new regulations when the GDPR went into effect 25 May 2018. For more information on SharpSpring's changes to software and policies, refer to How the GDPR Impacts SharpSpring and You.
For European Union customers, SharpSpring does transfer data outside of the European Union. Data is mainly stored in data centers in the United States, and this data could be accessed by both the United States and international resources working for SharpSpring during the course of the customer relationship. Each of these SharpSpring subsidiaries supporting SharpSpring's global customer base entered into Standard Contractual Clause agreements with the EU/EEA subsidiary by the time that the GDPR went into effect.
Penalties for Violating the GDPR
Failure to comply with the GDPR will result in monetary penalties. There are two levels of fines related to noncompliance. These fines relate to the severity of the violation:
- For lesser violations, such as not reporting a data breach in the time specified by the GDPR, the fine will total the greater amount of €10,000,000 or 2% of total global annual turnover.
- For more egregious violations, such as disregarding the GDPR's data processing rules, the fine will total the greater amount of €20,000,000 or 4% of total global annual turnover.
In addition, if an organization violates multiple rules in the GDPR, the organization will be fined for only the most egregious violation, and not for each separate violation.
Rights and Protections Overview
The GDPR was crafted with the data and privacy rights in mind. The regulation's core tenets reflect this. These protected rights include, but are not limited to:
These rights and protections are expanded upon below.
With the GDPR, protections for consent were considered paramount. As a result, conditions and qualifications for consent were vastly improved and otherwise strengthened. With the GDPR, consent is impacted as follows:
- Organizations must speak and write plainly and are disallowed from using unclear, legally worded, or otherwise illegible terms and conditions.
- Requested consent must be provided clearly and must be wholly accessible.
- All requests for consent must clearly state the purpose as to the reason for requesting consent.
- Consent must be able to be withdrawn as easily as it was given.
- Consent is no longer considered as forever and must be reapproved over time.
- In emails, unsubscription links must be readily apparent and visible.
The Right to Access
The GDPR provides rights and securities for individuals in regards to access. Specifically, the GDPR does the following:
- The GDPR provides individuals with the right to know whether or not data controllers are processing their personal information, as well as the processing location and purpose.
- The GDPR requires data controllers to provide a free electronic copy of the individual's personal data.
The Right to Be Forgotten
Data erasure, known also as the right to be forgotten, entitles individuals to the following rights:
- Individuals can request that data controllers permanently erase their personal data.
- Individuals can force the stoppage of further dissemination of their personal data.
- Individuals can force third parties to halt processing of their personal data.
Data erasure is conditional, however. Conditions include the data no longer being relevant to original purposes for processing or individuals withdrawing consent.
Data Breach Notification
Under the GDPR, notifications on data breaches are mandatory and must be done within 72 hours of an organization first having become aware of the breach. In addition, data processors will also be required to notify affected individuals without delay after first becoming aware of a data breach.
Data portability is the right for an individual to receive their personal data and all associated data in which they are affiliated. This data must be provided in a common and easily readable electronic format. With data portability, individuals have the right to transmit that data as needed.
Privacy by Design
Privacy by design requires data protection as a core feature when designing systems, as opposed to being a later addition. Additionally, controllers can retain and process only the essential data needed for a system or service to function. Privacy by design also installs limits as to who has access to personal data.
Data Protection Officers Overview
Data protection officers (DPOs), also known as data privacy officers, are security officials. DPOs are a key requirement for GDPR compliance. While not necessary for all organizations, with the GDPR, these roles are mandatory for any organization that processes or stores large amounts or personal data. This personal data can deal with an organization's employees, an organization's customers or providers, or any other individuals covered by the GDPR-at-large.
Officer and Organization Interaction
DPOs primarily audit organizations to ensure compliance, and should be treated as any other auditor. As such, per the GDPR, DPOs require operational independence. This means that organizations may interact with their DPOs in very specific manners. The GDPR requires the following for DPOs:
- DPOs should not receive instruction from or otherwise be pressured in any fashion by an organization.
- DPOs must have an unhindered, immediate, and total authority to investigate organization activities, including those activities at higher levels of organizational management.
- Within an organization, DPOs must not be subject to direct supervisory oversight and must report to the most senior levels of management.
- DPOs must manage their own operational budgets.
- Organizations must provide operational support to the DPO, including any necessary staff, resources, or facilities.
- DPOs should be appointed for a term of two-to-five years (and not set to a short-term contract), with a maximum reappointment term of ten years.
- DPOs may only be dismissed from an organization with the explicit approval of the European Data Protection Supervisor (EDPS), which is itself an entity independent from the organization.
The primary duties of the DPO are to ensure that an organization is in compliance with and acting in full faith towards the GDPR. The individual aspects of these duties include the following:
- DPOs must be the point-of-contact for data subjects and be available to inform them on how an organization is utilizing and protecting their personal data, as well as how data subjects can request data erasure.
- DPOs must remain in contact with and work alongside EDPS.
- DPOs must constantly audit an organization and present to the EDPS information on organizational operations that present specific risks or otherwise are most likely to violate GDPR rules.
- DPOs must alert an organization to violations of GDPR rules.
- DPOs must hold an organization accountable when the organization is in violation of GDPR rules.
- DPOs must educate and train an organization and its employees on remaining compliant with the GDPR.