LivingMetrics™ GDPR Compliance
What is GDPR?
The GDPR (General Data Protection Regulation) is a European privacy law approved by the European Commission in 2016. The GDPR replaced a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which had been the basis of European data protection law since 1995.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data.
The GDPR was adopted in April 2016 and officially became enforceable beginning on May 25, 2018.
Who does it apply to?
The GDPR applies to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies to all industries and sectors.
What is considered Personal Data?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Personal data will now include not only social security numbers, names, physical addresses, email addresses, but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more.
What does Process Personal Data mean?
In the context of GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR.
What are the GDPR implications for marketers?
Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller
- Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented, or the processing is in the organization’s “legitimate interests.” This means that marketers have to be very clear in their engagements as to what personal data is being collected, how it is being used, and give the audience the opportunity to get more information, and the ability to be forgotten.
Does the GDPR say anything about cross-border data transfers?
Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers. One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy decision.
How does this relate to LivingMetrics™?
LivingMetrics™ is a Sales Enablement CRM platform, which may include associated consulting and technical support services. Use of the platform by subscribers in the European Economic Area (EEA) entails the processing of personal data under the GDPR.
LivingMetrics™ is provided by Collain Healthcare, LLC, which is incorporated in the United States but all data processing done in LivingMetrics™ is done in Canada.
LivingMetrics™ offers its subscribers in the UK or in the EEA two agreements to cover UK GDPR/GDPR compliance, in addition to their existing agreement:
- A data protection addendum containing legal terms and details of how personal data are processed in LivingMetrics™. The UK GDPR/GDPR requires these terms and details to be included in contracts between controllers and processors.
- A data transfer agreement comprising the European Commission’s standard contractual clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) (SCCs) and the UK International Data Transfer Addendum (IDTA) to the SCCs.
If you are a UK or EEA customer and would like to enter into a data transfer agreement, please use Adobe reader to complete your company name, address and contact details and sign/date on pages numbered 23 & 24. Customers in the UK (only) need to use Adobe reader to complete their name, trading name, company number, address and contact details and sign/date on pages numbered 39 & 40. Send the completed document to support@livingmetrics.com. We will confirm receipt in accordance with article 2.1 of the data protection addendum.