Hello GDPR: Stay Compliant with Singular
By now you’ve probably seen and heard quite a bit about the European Union General Data Protection Regulation — GDPR. This new privacy-driven regulation requires that all companies collecting, accessing, and processing personal data for EU residents must comply with new standards that will be enforced starting May 25, 2018.
What is considered personal data?
Under GDPR, personal data may include:
- Traditional PII or “Personally Identifiable Information” (e.g. name or email address)
- Identifiers that may identify an individual only when combined with other data. This includes parameters such as IP address or Apple Advertising ID.
The Goal of GDPR
With this new European Union privacy protection law in place, users will have better control of how their personal data is shared and processed. Additionally, the GDPR will simplify the regulatory environment for businesses by creating clear requirements for companies to comply with regarding personal data protection.
GDPR defines and affects two main entities:
- Data Controllers (companies that determine the purpose and means for processing personal data). Our customers are considered data controllers.
- Data Processors (companies that process data on the Data Controller’s behalf). Singular is considered a data processor.
The main principle of GDPR is data protection by design, which speaks to both privacy and security. Under this principle it is the duty of all data controllers and processors to implement appropriate technical and organizational measures around privacy and security in order to ensure protection of the rights and freedom of the data subjects.
As described under GDPR regulation, the following are a few of the rights and duties all data controllers and processors are advised to adhere to:
- Consent and Lawfulness of processing: GDPR defines a clear set of conditions under which processing personal data for data subjects is considered lawful. One of these conditions is the often-mentioned consent where users have to acknowledge and accept a legal agreement written in clear and plain language, separated from any other terms and conditions. Data subjects should be given the option to withdraw their consent at any time.
- Right to data erasure: Users have the right to data erasure (also stated as “Right to be Forgotten”). Under this right, users may ask the Data Controller – who in turn is required to pass the request to any data processors – to delete all personal data on that user.
- Right to access: Users may access all of their collected personal data at any time. Additionally, users also have the right to know what data is being collected and why this data is being collected. Namely, the user has the right to request a copy of their personal data from the Data Controller.
- Right to data portability, and cross-border data transfers: Users have the right to know where their data is being collected, and where it is being sent. GDPR also defines a set of restrictions for transfers of personal data outside of the EU to third countries. The purpose is to further place requirements on how data is handled if and when leaving the EU member boundaries.
- Data breach notification: GDPR explicitly defines that companies must report a security breach within a 72-hour window. All data breaches must be reported to the supervisory authority, as well as any users whose personal data may have been exposed.
With this new data protection law in place, companies will have to make changes in order to ensure they are properly addressing the new regulations. Some companies will even need to appoint a Data Protection Officer (DPO) within their organization to take responsibility for ensuring company-wide compliance. Find out here if your company is required to appoint a DPO.
Companies will also need to become familiar with the authorities that enforce this new privacy law. Each participating EU member will be designating a national security authority to supervise and investigate GDPR related complaints within their nation. For companies that have multiple establishments throughout the EU, the security authority in the nation of their main establishment will act as a one-stop shop supervisor for all their compliance review.
It is important that global companies become familiar with the requirements of this new privacy law and to be familiar with the correct regulatory authority in the EU. Failure to comply with GDPR regulation can result in hefty fines of up to 20,000,000 EUR – a steep price to pay for non-compliance.
Singular’s Dedication to Data Privacy and Security
At Singular we welcome the EU’s initiative for increased transparency, ownership, and trust around personal data processing activity. We remain committed to these principles when working with our customers as their data processor.
As such, we have made extensive investments to ensure that both Singular and our customers meet GDPR compliance standards:
- Centralized user processing: We have redesigned the components of our user processing infrastructure for easy access and regulated portability. Users may acquire all personal data collected and processed at any time. Additionally, users have the ability to purge this data under the “right to be forgotten.”
- Customer facing endpoints: Singular is implementing customer-facing endpoints to support data erasure and consent removals (opt-outs).
- Security and privacy driven design: Singular was built around privacy and security, and many of our team members are renowned security experts. We remain committed to these core principles and continue to heavily invest in securing our systems while considering privacy as a central element in the design of new products.
As the GDPR deadline approaches, we are committed to ensuring the privacy and security of all personal data processed through Singular. We are currently working with an independent, 3rd party firm to cover our bases. And we look forward to helping our customers meet these new compliance standards.
Understandably, we’ve been getting many questions related to the GDPR over the past few months. To help shed light on the questions you may have, we’ve compiled the top FAQs for the GDPR.
For questions, please reach out to firstname.lastname@example.org or directly to your Customer Success Manager.