Data Protection & Commitment to GDPR
What is personal data?
Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as - name, email address or location, and also online identifiers like IP address, types of website cookies and other device identifiers. For eg: IP address of visitors at your site, location, your email id when you log into the Tagalys dashboard; CRM software collecting online identifiers to learn prospect activity on from the company website/product.
Who are data controllers, processors and sub-processors?
A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. For eg. Tagalys is a data processor and our customers (online retailers) are controllers of the EU resident's data.
The GDPR applies to both data controllers and processors. Controllers collect data from the end-user that is the EU resident, for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller's instructions. Processors also use data collected to perform benchmarking analysis, so that it can sell further services allowing controllers to compare their data to industry averages.
Another category called sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR
Who is a Data Protection Officer (DPO) and does my business need one?
The DPO is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR. A DPO needs to be appointed if you:
- process large amounts of personal data
- carry out large scale systematic monitoring of individuals or,
- are a public sector authority
Can we use Tagalys before you are fully compliant?
Yes, you can confidently continue with Tagalys as we are currently GDPR compliant. The regulation approved by the EU parliament in April 2016 provides businesses an adapting period of 2 years until the enforcement date of May 2018. Preparing for GDPR is a company wide challenge involving large amount of time, resources and expertise. Tagalys is GDPR compliant as of May 23rd 2018.
What is the cloud or Software-as-a-Service(SaaS) advantage to meeting data governance policies?
Meeting compliance requires investments in time, effort, cost and expertise. The solution lies in being part of cloud or SaaS ecosystem, that is already operating on a secure model for data management. This provides a safe environment to manage and process your data, and also accommodate efforts required to keep pace with changing policies.
How does my business benefit by complying with the GDPR?
The GDPR helps restore consumer trust by acting as a central authority governing rules of data protection and rights across the EU. The new law allows businesses to undertake opportunities in the digital market while protecting an individual’s fundamental rights.
Businesses can capitalize on opportunities through:
- Cost savings and less complicated policy management by dealing with 1 law, not 28. This otherwise required expenses and efforts dealing with regulations for each member state locally.
- Consistency in practice of data protection measures both in and outside the EU. This is because the same regulation applies to all businesses, regardless of where they are based out of.
- The regulation enables innovation to flourish under the new law.
What do you mean by ‘Right to be forgotten’?
Individuals have the right to have their personal data deleted, in the event that it is no longer needed. ‘Right to be forgotten’ is in support of - freedom of expression.
Does the GDPR require EU data to stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfer of personal data outside the EU.
Data transfers from the EU to outside can be legitimized in many ways including
- EU-US Privacy Shield
- Model or Contractual clauses
- Binding Corporate Rules (BCR)
What does GDPR mean by “data protection by design and by default”?
Data protection by design means, ensuring only that personal data which is required is collected, and also incorporate privacy features and functionality into products and services from the time they are first designed.
Data protection by default means, businesses must implement appropriate measures to mitigate privacy risks at the time of collection of the data, as well us by extending it at the time of processing it.