What is the GDPR

The GDPR (General Data Protection Regulation) is a piece of European data protection legislation that is designed to unify data protection laws for all individuals within the European Union. It will become fully effective on May 25, 2018.

It is considered to be the most important piece of legislation to be introduced in the EU in the past 20 years, replacing the 1995 Data Protection Directive.

The Specifics

Looking at the big picture, the GDPR regulates the processing of personal data in the EU, including its collection, use, transfer, and storage.

The most important term here is the phrase “personal data.” The GDPR’s main focus is to increase the rights and control that individuals - or “data subjects” - have over their data and how its used. It also encourages companies to remain compliant by increasing enforcement and imposing strict fines should GDPR terms be breached.

Here is a more complete list of the changes that will come into effect with the upcoming GDPR:

  • Increased rights for citizens: The legislation provides more rights for citizens, granting them - among other things - the right to be forgotten, the right to file complaints against data controllers, and the right to request a copy of any personal data stored about them.

  • Notification of data breaches: Under GDPR, any “destruction, loss, alteration, unauthorised disclosure, or access to,” individuals’ data must be reported to a country’s data protection regulator if the breach could have a negative impact on the individuals affected. This increases security and protects users against major hacks or breaches.

  • New requirements for data monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals, requiring that organizations with “regular or systematic data monitoring” to employ a data protection officer (DPO). In other words, you can’t monitor or collect data without a good reason and a solid process.

  • Increased fines for non-compliance: The GDPR will have some of the highest sanctions for non-compliance, including fines of €20 Million or up to 4% of a company’s annual global revenue - whichever is greater.

  • Compliance obligations and increased monitoring of organizations: The GDPR requires that organizations implement appropriate policies, keep detailed records on data activities, and enter into written agreements with vendors. Supervisory authorities, in turn, will be able to carry out on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

What Does It Mean For Your Business?

If you are a company outside the European Union, this still affects your business. Why? If you offer goods or services to individuals within the EU or monitor their behaviour, then the GDPR may apply to you.

How to Prepare for the GDPR

Getting prepared for the GDPR is certainly complex for all businesses. The first step is to assess the current state of your business, analyzing the personal data that exists across your company and determining your current level of compliance and risk. Specifically, look at your data collection and storage practices and evaluate things like: How you have collected the data

  • If you’re holding it longer than necessary and/or keeping it up-to-date
  • If you’re keeping the data secure
  • If you are collecting “sensitive data” - and, if so, if you are meeting the standards to collect, process, and store it.

Next, make sure that you have people on your team that understand the terms of the GDPR and that your staff understands how to handle data in a compliant manner.

Finally, you must implement policies and measure your results to ensure compliance and long-term success.

GDPR and Xplenty

As an Xplenty customer, how should I think about Xplenty with respect to the GDPR?

Xplenty is a data integration platform, or data processor. This means that we provide a platform to help you migrate, transform, and organize your data from various sources - including personal data about your customers - without accessing any of that information ourselves. We’re just the pipeline; we don’t save any data and we don’t use it for any purpose other than to provide you with our service.

We will help by allowing you to both track your compliance and easily access, change, remove and delete the data through your Xplenty account at your user’s request.

How will Xplenty empower me to maintain compliance and to honor my user’s requests about their own personal data?

As a platform, Xplenty is working hard to update our practices and ensure that we can support our clients’ needs to comply with the GDPR.

Xplenty will help by allowing you to streamline this process and control that data from one place. That way, you can easily and efficiently access, change, remove, or delete any data at your user’s request.

Here is how Xplenty will help you honor specific GDPR rights (mentioned above):

  • Security and Data Breaches: Xplenty not only follows standard industry practices around encryption, but also has systems in place for authentication, authorization, and auditing so that your information - and your customers’ information - is safe at all times.
  • Rights for Individuals: If your customers want you to access, modify, or delete information about them, you will be able make those updates and export that information quickly and efficiently. This includes the customer’s right to be forgotten.
  • Lawful Basis for Processing: If you want to save your customers’ information, you need a “lawful reason” to do so - an opt-in, a signed contract, etc. While all this information will be housed in your CRM or customer support tool, you will be able to track it and demonstrate your lawful basis for processing personal data within the Xplenty platform.

Customer Facing DPA

Xplenty also offers an updated Data Processing Addendum (DPA) as part of the Xplenty Terms of Use and Security policies. To obtain a copy of the updated Xplenty DPA, please contact us at: dpa@xplenty.com. (Current customers are welcome to sign the DPA, if they have not done so already).