Everyone is talking about GDPR, but what is it? Who does it apply to? How will it impact on marketplaces and platforms? We wanted to shed some light on these questions.
What is GDPR?
The General Data Protection Regulation (“GDPR”) is a European regulation that will take effect on May 25, 2018, and replaces the Data Protection Directive of 1995 and the national data protection laws of the European Union (“EU”).
GDPR is designed to set a uniform standard across the EU with regard to the way organizations collect, use and share personal data of data subjects in the EU.
What information does GDPR protect?
GDPR applies a broader than usual definition of personal data, including “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Therefore, the definition may capture, in certain circumstances, IP addresses, mobile device IDs, email addresses, cookies and other online identifiers.
Who is subject to GDPR requirements?
The application of GDPR is cross border and it covers the processing by organizations established in the EU of personal data in the course of their activities (EU and non-EU data subjects). It also applies to non-EU organizations with no formal or physical presence in the EU, so long as such non-EU organizations offer goods or services to data subjects in the EU or monitor their behavior (to the extent the subject is within the EU) (e.g. internet use profiling).
The act of ‘processing’ covers a variety of actions of an organization such as collection, recording, structuring, storing, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction, etc.
Such non-EU organizations are generally required to designate a representative established in an EU member state where the data subjects whose personal data is processed or whose behavior is monitored are located. The term “established” can be interpreted in different ways, so whether an organization is considered established in the EU should be examined on a case-by-case basis.
GDPR includes certain key elements and obligations that impacted organizations should be aware of and implement, such as:
- Defining the specific legal ground to permit data processing
- Identifying and documenting the process by which personal data is collected and processed
- Appointing a Data Processing Officer
- Defining the organization’s responsibilities as data controller and/or data processor
- Formulating data breach responses and notification requirements
- Outlining the rights of the data subjects to access their information and be forgotten
- Addressing transmission of personal data outside of the EU
Organizations that fail to comply with the requirements of GDPR may face severe administrative and economic sanctions, including fines of up to EUR 20,000,000 or 4% of the organization’s total worldwide annual turnover of the preceding financial year.
How does GDPR Impact you?
As a commercial business such as a marketplace or digital platform selling or otherwise offering goods or services internationally and processing personal data, you should understand how and whether GDPR applies to your organization. The personal data collected, stored or processed by your organization might be that of your sellers, customers, vendors and even random visitors to your website.
GDPR can apply to your organization regardless of its size or revenues and even regardless of whether or not you have a formal presence in the EU. If you collect, hold, process or have access to information that can be used to identify a data subject in the EU, you are probably subject to GDPR.
Firstly, you should understand the criteria for offering “goods and services” to EU data subjects. Is your website accessible in the EU? Do you use EU languages and currency? Are your campaigns directed to the EU?
Let’s take, for example, a Singapore-based organization that sells hand-made ties. The company has neither offices nor an affiliate company established in the EU, but offers its goods online. The company runs campaigns targeted at customers in the EU and even offers translated pages of its website. This organization collects personal data upon registration and creation of an account, including the registrant’s name and email address. Does GDPR apply to this organization? The answer is yes.
The new regime of GDPR confers more responsibilities on the organization; it’s now the organization’s responsibility to confirm that the data it processes is duly protected. Sometimes GDPR only provides a framework or guideline, and the organization must determine if it’s the controller or a processor of personal data and make sure that it properly stores and protects personal data.
The key questions you should be asking
Individuals are becoming more and more aware of their rights and the data collectors’ responsibilities as we countdown towards May 2018.
What are we doing at Vidooly to be ready for GDPR?
At Vidooly we take pride in providing a high level of security and transparency with respect to how we collect, use and share the personal data of our customers, partners and vendors. We are diligently preparing for GDPR, updating our policies and refreshing our procedures pertaining to data subjects’ access and other rights and are taking these and other measures to be fully compliant with GDPR.
We’ve added new features to our product to help ensure that your use of Vidooly is compliant with GDPR:
Easy end user opt-out: We’ve updated our services so your site and app visitors can quickly opt out of being tracked. You can also set default tracking preferences.
Quicker responses to deletion requests: Customers can now resolve deletion requests for end user data using new feature launched under the dashboard. To get started, check out our GDPR compliance resources.
Increased security: We’ve introduced a default data retention period of 5 years, so that your data isn’t held longer than is necessary. We’ve also enhanced our data logging systems to be sure we can track who is accessing customer data, when they are accessing it, and what’s done with it — both internally and externally.
Enterprise Grade Security
The GDPR requires controllers and processors of personal data to “implement appropriate technical and organisational” measures to ensure a level of security appropriate to the risk. Vidooly uses Amazon Cloud Services (“AWS”) as its third-party cloud storage subcontractor and does not host customer data on its premises. AWS is a leading cloud provider, and holds industry best security certifications, such as SOC2 and ISO27001, and provides encryption in transit and at rest, without any action required from our customers.
Internal Controls – For Vidooly employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Additionally, all Vidooly employees must abide by multiple policies about handling customer data securely and protecting customer data.
Audits for Vulnerabilities – At least annually, we invite an independent, third-party auditor to run penetration testing. Additionally we run scans for software vulnerabilities and have a Security Information and Event Management platform, which provides 24x7x365 monitoring and alerting for security incidents in our networks and systems.
Product Security – Vidooly customers can access product features and configurations to further protect personal data against unauthorized or unlawful processing, including Single Sign On (“SSO”) and 2-Step Verification.
Vendor Obligations and Subcontractors
As a data processor under the GDPR, we are responsible for the subcontractors we retain to help us provide our services. To support delivery of our services to customers, we engage certain vendors who help us process our customers’ data. Some of these vendors provide our data storage and infrastructure and are an integral part of the services we provide while others provide important account management assistance. We know we have an important responsibility when it comes to scrutinizing these subcontractors which is why our Vendor Risk Assessment program requires each subcontractor to undergo a rigorous review by our legal and security teams to ensure each has the required technical and organizational expertise and measures in place to deliver an appropriate level of security and privacy. In addition, we have entered into a data processing addendum with each subprocessor to make sure we have contractual commitments to ensure the privacy and security obligations with our customers flow through to our subcontractors. We have also developed a comprehensive internal map of all customer data flow in connection with our subcontractor review to ensure GDPR compliance, which include our requirements to assist with data subject access requests.
Data Processing Addendum
Assistance with Data Subject Requests – to the extent our customers cannot delete or retrieve data processed by Vidooly on their own, we will assist customers with the data subject requests they receive.
Notification of Data Incidents – Vidooly will notify customers without undue delay if there are any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data. We will assist our customers in their obligations under Articles 32-36 of the GDPR.
Confidentiality Commitments of Personnel – All Vidooly employees are required to sign a confidentiality agreement prior to employment, complete mandatory privacy training, and adhere to other internal policies.
The GDPR allows for several ways to facilitate transfers of personal data outside of the EU. One valid mechanism for transfer of personal data outside of the EU is transfer of data under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
As obligations to protect data transfers from the EU continue to develop, we’re committed to maintaining a valid mechanism to facilitate transfers of personal data outside of the EU.
Please note that this isn’t intended to be a comprehensive and exhaustive review, but rather an outline of certain issues which we consider to be key to understanding GDPR. We recommend that you undertake your own analysis as to how GDPR applies to your organization specifically.
The content marketing team at Vidooly publishes articles and blogs on current and relevant online video industry related news.