But first, a disclaimer: We’re providing the content below for informational purposes only. The information shared here is not meant to serve as legal advice. To determine exactly how GDPR may or may not apply to you and what actions you need to take to comply, you should work closely with your legal team and other professional counsel.
What is GDPR?
The EU General Data Protection Regulation (GDPR) will take effect on May 25, 2018. The new legislation expands the rights of EU citizens to control how their personal information is collected and used, and places new obligations on organizations, making them more accountable for data protection. The GDPR guidelines define how personal data should be obtained, stored, analyzed and processed in order to protect the privacy of its owners.
Who should comply with GDPR?
The new legislation applies to any company that processes or controls personal data of EU citizens, regardless of where it is located. This includes:
- All EU-based organizations – commercial, public or non-profit – that collect, store or process the personal data of EU citizens
- Organizations outside the EU that offer goods or services, monitor behavior or process personal data of EU citizens
- Service providers that process data of EU citizens on behalf of an organization, such as cloud services, call centers and payroll services
This means that even if your company’s main office is in New York, your servers are in Japan and you develop a SaaS solution for a company in Brazil, as long as you hold or process a piece of personal data of an EU citizen (which can be as simple as email, mobile phone number or a name – see GDPR Art. 4), GDPR applies to you.
When does GDPR take effect?
Enforcement of GDPR will start on May 25, 2018, and fines for non-compliance can go up to 20M Euros or 4% of company’s annual revenue. In addition, companies should take into account the potential damage to their brand reputation.
What does it mean to be GDPR compliant?
This is where it gets a little tricky. The law sets out guidelines, not rules, and there is no one size that fits all. Except for a few mandatory requirements, there isn’t a simple checklist of tasks that need to be completed to ensure compliance.
For example, a business should be able to demonstrate that after analyzing the risks to privacy unique to its own operation, it has implemented appropriate means to comply with the spirit of GDPR (Art. 24).
Sounds simple, right? But this can mean very different things for different businesses. For example, if you run a simple one-page website for your roofing business, the privacy risk from a potential leak is pretty low. Just make sure your clients understand why you collect their details, and you’re good to go.
However, if you are a big SaaS company, data goes in and out of your servers every second, through multiple channels, and it’s accessible not only to the users but also to your own employees. Each one of these channels and access points needs to be assessed – does the user who sees the data really need to see it? Is this channel secure? What is the potential damage in case there is a leak?
How have we in Camilyo prepared for GDPR?
As you know, Camilyo provides a white-labeled marketing, sales and business productivity platform, which is sold by digital service providers to their SMB customers. So, when preparing for GDPR, we had to look at all layers of our operations and consider all potential touchpoints.
We started out with research, which included reading the regulations (make a big cup of coffee beforehand – it’s long…), attending webinars and consulting with leading industry partners (warm shout out to Kimberli Lewis from SIINDA for her valuable input). Our legal team also helped understand what’s required and how to best approach the project.
Then, we formed a cross-functional team with representatives from all departments – Product, R&D, Dev Ops, Customer Success, Legal, Marketing and Operations. Together we looked at all layers of our operations and mapped all access points, personal data requests and potential risks to privacy. This required us to lay out each and every way in which data goes in and out of our system, from contact forms and requests all the way to APIs and raw data. At each point we asked ourselves who has access to this data and should they see it. Remember that in Camilyo we have multiple site users, including SMBs, partner employees, Camilyo employees, Dev Ops teams, database architects and more. Also, we considered the security implications of our design – is the data secure? at which points is it vulnerable? and so on. We also had to look at broader issues such as why data is collected and stored, how we inform users about collection and do they understand and give consent as required.
Finally, we proposed appropriate solutions – some are optional additions to the platform, while others are changes to data-related procedures.
Since Camilyo Online in One is a third-party white label platform, different partners might want to implement slightly different solutions. That’s why in our product adaptations we aimed to provide our partners with flexible tools to use as they see fit. For example, each of our partners can present their own terms and conditions in a way that corresponds with their understanding of what is required.