EMWD and GDPR Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is Europe’s big new data privacy law. It comes into effect on 25th May 2018 and is intended to strengthen and unify data protection for all individuals within the European Union (EU).

GDPR has been introduced to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses. When GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC). Even though EMWD is not a European company, GDPR is directly binding and applicable to businesses all over the world.

What Data is Protected?

The data that is protected under GDPR (as with the DPA) is data concerning individuals (not companies). However the definition is wider under GDPR and “Personal Data” extends to any information pertaining to an individual, whether it relates to their private, professional or public life. It can be anything from a name, to a home address, photo, email address, bank account details, posts on social networking websites, medical information, a computer’s IP address and more. In other words, if in the course of running your business you collect and use any data about anyone that identifies them this will be Personal Data and you are required to follow the law in the way it is handled, accessed, stored or transferred. The individual is called the Data Subject.

Under GDPR, we are the data controller, which is a company that controls and uses the personal data of our European clients.

How We Comply

We use WHMCS as the application (billing portal) that collects and stores personal data. New customers will now be required to accept our Terms of Service and Privacy Policy at the time they sign up for our services.

Our billing portal (WHMCS) provides a self-service client portal that gives our European clients access to login and view their personal (profile) data. This same portal grants them access to update their personal information. Under GDPR, this access has to be given at no additional charge which we have always done.

The Right To Erasure

If we receive a request for erasure, we can perform a complete deletion of the European customer record from our billing portal. Erasure removes all data relating to a given European customer including, but not limited to, personal information in the user’s profile, service and invoice history, activity log entries, support ticket and email history.

The Right to Data Portability

Data portability means the right to receive personal data in a machine-readable format and to request for such data to be transferred directly from one controller to another. This right only applies where the processing is based on consent or for the performance of contract; and; when processing is carried out by automated means. There are no fees for this service.

In an upcoming update to our billing portal (WHMCS), we will be able to meet the data portability requirement by having the ability to generate an export of the European client’s information in JSON format.

Lawful Basis for Process

Contract

When a European client signs up for our services, they will be required to accept our Terms of Service and Private Policy. This means the European client is entering into a contract with EMWD, Inc. and we have a lawful basis for collecting personal data in order to fulfill a contractual obligation. We do not require consent for this.

Consent

The collection of data for marketing purposes does require the consent of the European client. We do use email marketing to market our services to our existing clients. We now require a positive opt-in option for the European client to sign up for our email marketing campaigns. This option will be available at sign up and will be separated from the requirement option to accept our Terms of Service and Privacy Policy.

A future version of our billing portal (WHMCS) will keep a record of such consent to our email marketing.

As a result of GDPR, we will be amending some of the above points to our Terms of Service and Privacy Policy. Please let us know if you have any questions regarding GDPR via our support ticket system. GDPR only impacts our customers who live in Europe.