The GDPR went into effect May 25, 2018, and applies to organizations both within the European Union (EU) and organizations in other locations that deal with the data of people in the EU. Learn more about this important EU regulation and how it applies to you as a FormAssembly customer.
- What is the GDPR?
- The EU GDPR (General Data Protection Regulation) is a law that deals with data privacy in the European Union. As a regulation, rather than a directive, the GDPR is enforceable and carries with it large fines for non-compliance. Overall, the GDPR was created to further safeguard data privacy for citizens of the EU, while at the same time standardizing data privacy laws in Europe and changing how organizations manage data privacy.
- Who does the GDPR apply to?
- The GDPR has significant extra-territorial reach, potentially extending to organizations worldwide. The GDPR applies to:
- organizations in the EU which process data as part of their EU establishment (i.e., their legal and physical presence in the EU); and
- organizations that are outside of the EU (i.e., based in any location in the world) which process personal data as part of:
- offering goods or services to data subjects that are in the EU; or
- monitoring the behavior of data subjects in the EU.
- Why is it important?
- The GDPR significantly increases the existing level of fines for data privacy non-compliance. For the most serious breaches, fines may be as high as 4% of the total worldwide annual turnover or €20,000,000 (whichever is higher). Consequently, data privacy compliance is now as important as antitrust or anti-bribery and corruption compliance on the corporate compliance agenda.
Apart from headline fines, the GDPR's expansive territorial scope is likely to result in the GDPR defining future global data privacy practices. Many of the GDPR's provisions can be expected to become a "gold standard" and shape legislative and regulatory thinking across the world. In times of growing customer sensitivities over data privacy, being at the forefront of data privacy protection is an integral part of any businesses' customer service. GDPR compliance is an essential first step.
- What is new about the GDPR?
- New obligations
These include: stricter requirements for gaining valid consent for collecting data; data breach notifications; the requirement to appoint a local representative in the EU to be the point of contact for EU individuals and EU regulators, and to appoint a Data Protection Officer. The new requirement for businesses to notify EU regulators (and, in certain circumstances, data subjects themselves) of data breaches within 72 hours of becoming aware of a personal data breach is an onerous new obligation and one which will be subject to substantive negotiation in data processing agreements.
- New processes
These include the increasing importance of data protection impact assessments; internal record-keeping and accountability; the implementation of robust information security measures, particularly anonymization and pseudonymization of data; and the incorporation of "privacy by design and default" principles into the heart of an organization's operations. A substantial part of the negotiation of a data processing agreement is likely to concern data security standards and whether these standards are "adequate" as judged against the risk of the processing.
- New or enhanced rights for data subjects
These include the right to erasure (commonly known as the right to be forgotten), right to data portability, right to object to profiling, and the right to restrict processing. These new rights will require organizations to have the necessary technical and administrative systems and protocols in place to give effect to the rights within the timeframes and in the manner required by the GDPR. Data controllers (i.e., organizations that determine the purpose and means of processing) are therefore likely to require a much greater level of assistance and cooperation in data processing agreements so that they can comply fully with data subject right requests and other administrative requirements.
- New obligations
- What rights does the GDPR include for individuals?
- The GDPR covers several individual rights regarding the data that organizations collect, including “the right to be informed,” “the right of access,” and “the right to erasure.” View more information about these rights on ico.org.uk.
- When does the GDPR officially go into effect?
- The GDPR goes into effect May 25, 2018.
- What are the fines for not following requirements of the GDPR?
- The maximum fine for GDPR non-compliance is 20 million euros or 4 percent of annual global revenue. Both data controllers and data processors could face these fines.
- What does the GDPR mean for you as a FormAssembly customer?
- Compliance with the GDPR is a shared responsibility between the Data Controller and the Data Processor. If the GDPR applies to you, FormAssembly is processing data on your behalf and per your instructions, which makes us the Data Processor, and you, the Data Controller.
As your Data Processor, we will enter into an additional agreement (the Data Processing Addendum) which contractually binds us to meet our Data Processing obligations to protect the rights of the data subjects.
We will also, to the extent possible, assist you in meeting your obligations under the GDPR, such as retrieving, editing or deleting personal data, or obtaining and preserving proof of consent when applicable.
- What is FormAssembly doing to ensure we are GDPR-compliant by the deadline?
- FormAssembly’s robust Information Security procedures and policies are designed to meet the requirements of the GDPR and other strict requirements such as PCI Level 1 and the US HIPAA regulation. Additionally, we’re providing an updated agreement that includes the legal provisions required by the GDPR.
By choosing FormAssembly as your Data Processor, you will meet your obligations under Article 28 of the GDPR to work with a Data Processor that implements appropriate technical and organizational measures and ensures the protection of the rights of the data subject.
- Do you offer a Data Processing Agreement that addresses GDPR?
- Yes. In addition to our standard Terms of Service and Master Service Agreement, a Data Processing Agreement is required for all customers in the European Union, or customers who qualify as a Data Controller under the GDPR. Customers affected by the GDPR must review and sign our Data Processing Addendum by May 25th 2018.
You can review and sign the agreement here.
The Data Processing Addendum includes provisions between the Data Processor (FormAssembly) and the Data Controller (you, our customer) that are mandatory under the GDPR.
Please note that FormAssembly cannot make a determination as to which customers are affected by this regulation. Customers are invited to make their own determination and request our Data Processing Addendum as needed.
- Is FormAssembly compliant with the EU-U.S. Privacy Shield Framework?
- Can data be stored in EU data centers?
- Yes, our Enterprise Cloud and Compliance Cloud customers have the option to have data stored in EU-based ISO 27001 certified data centers, to facilitate compliance with data residency requirements. Note that data does not have to be stored in the EU for compliance with the GDPR.
- What is informed consent and can I gather it with a FormAssembly web form?
- Under the GDPR, the requirement for consent is a “freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data” and must specifically cover all of the processing activities. Any request for consent must be in clear and plain language and easily distinguishable from other matters. The GDPR requires a “clear affirmative act” – which can be through an electronic signature, ticking a tick box, etc., although silence, pre-ticked boxes, or inactivity on the part of the user will not constitute consent.
We will provide further guidance on how to obtain consent through a web form, but ultimately, under the GDPR, FormAssembly is considered a Data Processor, and obtaining consent is the responsibility of the Data Controller (our customer).
Note that Informed Consent is one valid basis for lawful collection and processing of personal data, but there are others which are equally valid, including performance of a contract or the Data Controller’s ‘legitimate interests’ (See Article 6 of the EU GDPR).
FormAssembly’s Director of Marketing, Ashley McAlpin, and Manager of Customer Success, Katrina Garza, hosted the first GDPR webinar in a threefold series about the regulation. The first webinar, held May 9, 2018, focused exclusively on whether the GDPR applies to...
This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your...
The GDPR enforcement date is right around the corner. Are you prepared? If you still have questions or confusion over the details of the GDPR, we're here to help with informative GDPR webinars. Starting May 9, we will be running a three-part series of webinars where...
With GDPR on the horizon, we’re working on several product updates to benefit our customers that fall under the regulation. Though these are not necessary for GDPR compliance, we are actively working on these improvements to further simplify and streamline your...
This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with...