<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=99129&amp;fmt=gif">

GDPR

The content below is general information on EU data privacy and the GDPR, and is not an exhaustive or complete summary, nor is it legal advice for your company. 
We compiled this content to serve as helpful background information on an important topic.  We recommend that you consult with an attorney if you are looking for legal advice, or if you’d like help applying this information to your company’s specific situation.

Privacy FAQs

Many are calling it the largest change in data privacy law in 20 years.  The EU is calling it the General Data Protection Regulation.  What we know for sure is that it is a new EU Regulation that significantly strengthens the protection of personal data of EU citizens and personal data collected within the EU.  It expands many of the requirements of the previous EU data protection framework (the 1995 EU Data Protection Directive).  The GDPR takes effect on May 25, 2018.

The GDPR significantly widens the scope of EU data protection law.  Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”), such as names, email address and other personally identifying information. This definition also extends to technical information, such as an IP addresses or device identifiers.  “Processing” under the GDPR means collection, storage, transfer, or use.

Believe it or not, yes, there is!  The GDPR makes compliance with EU data protection law more predictable because it provides for harmonization of data protection requirements across the EU – as opposed to the current regulations, which have resulted in a sort of patchwork of laws across all EU member states.  The GDPR also makes compliance easier because the law was updated with the current state of technology in mind.  The previous regulation is over 20 years old.  Things have changed quite a bit since then, leaving various gaps when overlaying the law over current technology and complex international data flows and business processes.  The GDPR aims to close many of those gaps.

Absolutely not.  The GDPR does not require that EU personal data be stored in the EU, and does not introduce any new restrictions on transferring EU personal data outside of the EU.  PI clients can continue to rely on PI’s EU-US and Switzerland-US Privacy Shield Certifications, and where applicable, EU Standard Contractual Clauses to legally transfer EU personal data to PI in the US. 

Product

Rest assured that our product, tech, and legal teams are working in harmony to ensure that our products are compliant by the May 25, 2018 deadline.  Some notable changes include complete control over your data and complete visibility and processes around who has access to your data.  Stay tuned for more information on our cool and compliant new features. 

Legal

Our legal team is busy making privacy-focused changes to our Terms of Service and Privacy Policy to ensure that required GDPR and other privacy-related terms are included.  Expect to see notice of updates to our Terms of Service and Privacy Policy prior to May 25.  We are also introducing a Data Processing Agreement for our clients that are subject to the GDPR.  Keep your eye out from communication from PI and/or your PI Certified Partner…and if you need one before that, let us or your PI Certified Partner know and we’ll get one out to you.

Process

PI is training its employees on the details of the regulations, and ensuring that our processes comply with the GDPR.  We are also putting new policies and procedures in place with our PI Certified Partner Network to assist them with their own GDPR compliance. 

What Clients Should Do:

The European Commission has provided a list of new obligations that companies will face under the GDPR.  While not exhaustive, and geared primarily towards smaller companies, this list provides an effective starting point to thinking about your GDPR obligations:

Protect the right of people giving you their data

  • Communication: Tell data subjects in plain language who you are when you request the data, why you are processing their data, how long it will be stored, and who receives it. 
  • Consent: Get their clear consent to process the data.
  • Access and Portability: Let people access their data and give it to another company.
  • Warnings: Inform people of data breaches if there is a serious risk to them.
  • Erase Data: Give people the ‘right to be forgotten.’  Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
  • Profiling: If you use profiling to process applications for legally-binding agreements like loans, there are specific responsibilities in the GDPR that you should become familiar with.
  • Marketing: Give people the right to opt out of direct marketing that uses their data.
  • Safeguarding sensitive data: Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
  • Data Transfers outside of the EU: Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.

Do data protection by design
Build data protection safeguards into your products and services from the earliest stages of development.

Check if you need a data protection officer
This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.

Keep records
Review GDPR-specific record keeping requirements.


Anticipate with impact assessments
Impact assessments may be required for HIGH-RISK processing. 


A Few Areas PI Clients May Wish to Consider:

  • Information and Consent: Are you providing adequate information about use of personal data and obtaining proper consent from your assessment-takers (“data subjects”)? 
  • Data Retention: Have you considered how long you may keep data?
  • Data Subject Requests: Do you have a process in place to address requests from data subjects? 

Further Information
Please contact PI or your PI Certified Partner if you have further questions, comments or suggestions.  If you wish to contact PI’s Privacy Team directly, they can be reached at privacy@predictiveindex.com 

 

Helpful Links:

GDPR FAQs

GDPR Information

Privacy Documents