Disclaimer: The contents of this guide and other related GDPR guides are for general information purposes only and do not constitute legal advice. We recommend talking with your lawyer, or seeking legal advice, about what your business needs to do to be compliant.
The EU General Data Protection Regulation (“GDPR”) came into effect on May 25, 2018 and will replace the existing EU data protection law.
GDPR gives individuals control over how their personal information is stored and used by companies.
The GDPR is an excellent starting point when it comes to reviewing privacy and security practices. It’s only the beginning of a wider conversation and commitment.
If you collect, store or otherwise manage the personal information of individuals who live in the European Union, even if you don’t have an entity or presence in the EU, then the GDPR will apply to you.
What Is Personal Information
Personal information is ” any data relating to an identified or identifiable natural person*“. It includes information or references to an individual’s name, contact details, location and IP address. This also includes less obvious things such as personal opinions, as well as preferences or factors specific to the physical, physiological, genetic, mental, economical, cultural or social identity of that person.
Sensitive personal data is a special category of personal data. This includes information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation and health information.
* These requirements around processing personal information only apply to living persons.
Controller Vs Processor
It’s important to understand your role with the GDPR, as that determines what actions you need to take to be compliant. There are two key roles: Controllers and Processors.
- Controller: Is a business or entity that collects and stores personal information relating to an individual, for a specific purpose. It is the Controller’s responsibility to both obtain informed and explicit consent from the individual, and ensure that they (and any services, systems or processes that they use) comply with the regulations – this is you as the business owner and Intuto customer.
- Processor: Is a third-party service or system, that operates on behalf of the Controller, to store or process personal data as part of the service delivery process – this is Intuto, and any other services you share customer information with (e.g. MailChimp, Xero, Google Calendar etc.).
Your Business As A Controller
To comply with GDPR, you will need to fulfil your obligations as a Controller:
- You must have a legal basis, for collecting personal information as part of your service delivery.
- You must communicate to customers how their data is being processed, why it’s being processed, from which sources that information was/is taken and under which circumstances. This must be explained in an understandable and accessible way, using simple and clear language.
- You must ensure that any services that you use as part of your service delivery (Processors) are also compliant with the regulations.
- You must collect and record explicit and informed consent from your customers, to be allowed to send them marketing messages (SMS and email).
To support you in being compliant as a Controller, we are developing the following functions in Intuto:
Complying with personal information requests
Under GDPR, there are specific rights that customers have regarding their personal data.
These are based around some key Data Protection Principles. Find out more about the Data Protection Principles.
Some key concepts from those principles are:
- The right to be informed.
- The right of access and the right to data portability.
- The right of erasure/the right to be forgotten.
- The right to restrict processing, the right to object
What Other Responsibilities Do You Have?
While Intuto is ensuring our systems and processes are compliant with GDPR, you have a responsibility as a Controller to make sure your business practices are also compliant. This includes the way you and your staff use Intuto.
For instance, if a staff member downloads or exports your customer list and contacts those clients directly, this would be viewed as a data privacy breach. The same would apply if you decided to share your customer list or client’s personal information with another provider, without communicating this to the individuals involved or seeking consent.
We recommend or talking with your lawyer, or seeking legal advice about what your business needs to do to be compliant. Here are some things to think about:
- Review all of your systems and processes around personal information. Are they all necessary? Is there anything you need to stop doing, or change, to be compliant? You will need to communicate this to customers, so documenting this as you go will make that process easier.
- Make sure that all of the services you use in your business (Processors) are also GDPR compliant. Understand how they process your information, where this is stored and how you can exercise your rights e.g. where/how do you access/update information to comply with personal information requests.
- Educate your staff about GDPR, what rights individuals have and the legal basis for collecting and using personal information. Reiterate the importance of using personal information sparingly and only when necessary.
- Review your current staff access settings – what information do your staff really need access to?
Intuto As A Processor
While protecting our customer’s information has always been a high priority for us at Intuto, we’ve used this opportunity to review all of our systems and processes around collecting, storing and processing personal information.
In light of this, we have made the following changes:
- Nominated a Data Protection Officer.
- Provided an Intuto Data Processing Agreement agreement, which our EU customers can choose to sign. If you’re interested in signing this, please reach out to us at email@example.com.
- Ensured that all of the services we use as part of delivering Intuto to you (sub-processors) are also compliant (List of Intuto sub-processors).
These changes are the beginning of an ongoing conversation and commitment around privacy and security at Intuto.
If you are a business owner and need to export your data, permanently delete your account or have any questions about GDPR email to: firstname.lastname@example.org.
Want To Find Out More?
Feel free to contact us if you have any further questions.