The content below is general information on EU data privacy and the GDPR, and is not an exhaustive or complete summary, nor is it legal advice for your company.
We compiled this content to serve as helpful background information on an important topic. We recommend that you consult with an attorney if you are looking for legal advice, or if you’d like help applying this information to your company’s specific situation.
The Predictive Index has published a data processing addendum to assist customers in their compliance with the GDPR.
Many are calling it the largest change in data privacy law in 20 years. The EU is calling it the General Data Protection Regulation. What we know for sure is that it is a new EU Regulation that significantly strengthens the protection of personal data of EU citizens and personal data collected within the EU. It expands many of the requirements of the previous EU data protection framework (the 1995 EU Data Protection Directive). The GDPR takes effect on May 25, 2018.
The GDPR significantly widens the scope of EU data protection law. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”), such as names, email address and other personally identifying information. This definition also extends to technical information, such as an IP addresses or device identifiers. “Processing” under the GDPR means collection, storage, transfer, or use.
Believe it or not, yes, there is! The GDPR makes compliance with EU data protection law more predictable because it provides for harmonization of data protection requirements across the EU – as opposed to the current regulations, which have resulted in a sort of patchwork of laws across all EU member states. The GDPR also makes compliance easier because the law was updated with the current state of technology in mind. The previous regulation is over 20 years old. Things have changed quite a bit since then, leaving various gaps when overlaying the law over current technology and complex international data flows and business processes. The GDPR aims to close many of those gaps.
Absolutely not. The GDPR does not require that EU personal data be stored in the EU, and does not introduce any new restrictions on transferring EU personal data outside of the EU. PI clients can continue to rely on PI’s EU-US and Switzerland-US Privacy Shield Certifications, and where applicable, EU Standard Contractual Clauses to legally transfer EU personal data to PI in the US.
Rest assured that our product, tech, and legal teams are working in harmony to ensure that our products are compliant by the May 25, 2018 deadline. Some notable changes include complete control over your data and complete visibility and processes around who has access to your data. Stay tuned for more information on our cool and compliant new features.
PI is training its employees on the details of the regulations, and ensuring that our processes comply with the GDPR. We are also putting new policies and procedures in place with our PI Certified Partner Network to assist them with their own GDPR compliance.
The European Commission has provided a list of new obligations that companies will face under the GDPR. While not exhaustive, and geared primarily towards smaller companies, this list provides an effective starting point to thinking about your GDPR obligations:
Protect the right of people giving you their data
Do data protection by design
Build data protection safeguards into your products and services from the earliest stages of development.
Check if you need a data protection officer
This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.
Review GDPR-specific record keeping requirements.
Anticipate with impact assessments
Impact assessments may be required for HIGH-RISK processing.
A Few Areas PI Clients May Wish to Consider:
Please contact PI or your PI Certified Partner if you have further questions, comments or suggestions. If you wish to contact PI’s Privacy Team directly, they can be reached at firstname.lastname@example.org