What is GDPR?
The General Data Protection Regulation (GDPR) is Europe’s big new data privacy law. It comes into effect on 25th May 2018 and is intended to strengthen and unify data protection for all individuals within the European Union (EU).
GDPR has been introduced to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses. When GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC). Even though EMWD is not a European company, GDPR is directly binding and applicable to businesses all over the world.
What Data is Protected?
The data that is protected under GDPR (as with the DPA) is data concerning individuals (not companies). However the definition is wider under GDPR and “Personal Data” extends to any information pertaining to an individual, whether it relates to their private, professional or public life. It can be anything from a name, to a home address, photo, email address, bank account details, posts on social networking websites, medical information, a computer’s IP address and more. In other words, if in the course of running your business you collect and use any data about anyone that identifies them this will be Personal Data and you are required to follow the law in the way it is handled, accessed, stored or transferred. The individual is called the Data Subject.
Under GDPR, we are the data controller, which is a company that controls and uses the personal data of our European clients.
How We Comply
Our billing portal (WHMCS) provides a self-service client portal that gives our European clients access to login and view their personal (profile) data. This same portal grants them access to update their personal information. Under GDPR, this access has to be given at no additional charge which we have always done.
The Right To Erasure
If we receive a request for erasure, we can perform a complete deletion of the European customer record from our billing portal. Erasure removes all data relating to a given European customer including, but not limited to, personal information in the user’s profile, service and invoice history, activity log entries, support ticket and email history.
The Right to Data Portability
Data portability means the right to receive personal data in a machine-readable format and to request for such data to be transferred directly from one controller to another. This right only applies where the processing is based on consent or for the performance of contract; and; when processing is carried out by automated means. There are no fees for this service.
In an upcoming update to our billing portal (WHMCS), we will be able to meet the data portability requirement by having the ability to generate an export of the European client’s information in JSON format.
Lawful Basis for Process
When a European client signs up for our services, they will be required to accept our Terms of Service and Private Policy. This means the European client is entering into a contract with EMWD, Inc. and we have a lawful basis for collecting personal data in order to fulfill a contractual obligation. We do not require consent for this.
A future version of our billing portal (WHMCS) will keep a record of such consent to our email marketing.