GDPR Compliance for Recapture
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union (EU). The regulation will become effective and enforceable on May 25, 2018.
Our commitment: Recapture is fully committed to achieving compliance with the GDPR prior to the regulation’s effective date.
In this page we cover:
- Does GDPR even affect me?
- What is Recapture doing about the GDPR?
- What changes is Recapture making to be GDPR Compliant?
- What do Recapture Customers need to do?
- I’m new to the GDPR and would love more details on what it is.
- I have a GDPR request or complaint.
Recapture began to dedicate internal resources to the GDPR in late 2017, well before the deadline. We did this because we value our customers (and their customers) rights to privacy. Compliance with and to international law and regulations are very important to us.
Here’s a condensed version of our GDPR Roadmap and where we are on our journey:
- Thoroughly research the areas of our product and our business impacted by GDPR – COMPLETE
- Determine the appointment of a Data Protection Officer – COMPLETE
- Rewrite our Data Protection Agreement – COMPLETE
- Develop a strategy and requirements for how to address the areas of our product impacted by GDPR – COMPLETE
- Perform the necessary changes/improvements to our product based on the requirements – COMPLETE
- Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – COMPLETE
- Thoroughly test all of our changes to verify and validate compliance with GDPR – COMPLETE
- Finalize and communicate our full compliance – COMPLETE
The short answer is probably YES. Let’s talk about the longer version. A common misconception is that GDPR applies ONLY to businesses in the EU. This is not true. It depends on who your customers are, not your business’ location:
- I live INSIDE of the EU and have a business with (some) EU customers – YES, you’re affected. What affects you are the customers, NOT your location!
- I live INSIDE of the EU and do not have EU customers at all – NO, you’re not affected. As long as you have NO customers that reside in the EU, you’re not affected. But in our experience, that’s very, very rare. Most likely, you probably have customers from the EU and #1 or #3 applies.
- I live OUTSIDE of the EU and have a business with (some) EU customers – YES, you’re affected. What affects you are the customers, NOT your location!
- I live OUTSIDE of the EU and do not have EU customers at all – NO, you’re not affected. As long as you have NO customers that reside in the EU, you’re not affected. But in our experience, that’s very, very rare. Most likely, you probably have customers from the EU and #1 or #3 applies.
The bottom line is this–if you serve ANY customers from ANY country in the EU, you are affected by GDPR, regardless of whether you’re an EU-based business, or located in the EU in any way. GDPR is very far-reaching in that regard.
We are taking many steps across the entire company to ensure we will be ready for the GDPR. We are improving anonymity within our analytics tools and making changes to allow you to tailor how you request consent within our feedback tools. We’re also working on interfaces that will allow you to address requests from your customers related to their rights for accessing any personal data that might stored in your Recapture account. In addition, Recapture is also confirming that all services we use are also GDPR-compliant.
Based on our research conducted, we are confident these changes will address the requirements of GDPR. We will communicate these changes in detail before the first of May, 2018.
There are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Recapture:
- If you are in the European Union you may want to sign a Data Processing Agreement with Recapture. We offer data processing addendums (DPAs) for our customers that operate in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our clients. We have a standard DPA that you may sign and keep on file. To generate a signed DPA for your organization please use this form. You can see a sample of the addendum here.
The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the the 1995 Data Protection Directive.
The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
In summary, here are some of the key changes to come into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard (full list below).
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
- Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
The GDPR includes the following rights for individuals
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- and the right not to be subject to automated decision making including profiling
This site provides more details about the process if you are interested (including the legal details): ICO Privacy Transparency and Control
If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.
If you have a concern or need to file a GDPR complaint with Recapture, please use this form which covers each case of the GDPR rights so we can handle your request as quickly as possible.
My question isn’t addressed here, can you still help?
If you have any questions, please don’t hesitate to contact us at firstname.lastname@example.org.