The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018.
The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. Our privacy team has verified that Linc meets the requirements of the GDPR.
Who has to comply with the GDPR?
- Any EU-based organizations considered “controllers” or “processor” of data. In general, controllers determine the means and purposes of data processing while processors handle data for specified purposes on behalf of controllers.
- Organizations considered controllers or processors of personal data of EU residents in relation to goods or services provided to them
- Organizations who monitor the behavior of EU residents
Many of Linc’s customers will fall into the “controller” category as they are collecting and using personal data about their customers. And since Linc falls under the “processor” category, we are required by the GDPR to treat our customers’ data as if it were our own.
Why is the GDPR such a big deal?
The GDPR is an unprecedented privacy regulation in terms of its breadth, depth, and impact. More organizations than ever are required to comply with the regulation, and the regulation is chock full of new requirements for controllers and processors. Fines for noncompliance with GDPR may be imposed up to the greater of €20 MM or 4% of global revenue.
What are some of the major changes the GDPR brings about?
- The GDPR gives EU residents the “right to be forgotten” by controllers and processors. If a data subject requests their data to be removed, controllers are responsible for securely deleting the data from their systems and ensuring processors delete data as well.
- The GDPR outlines specific requirements for notifications in the event of a data breach. Organizations who experience a data breach must notify data protection authorities, and in certain cases, they must also notify the data subject.
- The GDPR now extends to organizations who monitor the behavior of EU residents online. This includes e-mail tracking as well as tracking of user behavior on an organization’s website.
- The GDPR centralizes the regulation of processing of EU resident data. All processing of personal data belonging to residents of the EU will be governed by the GDPR, regardless of the member state in which the data subject resides.
What did Linc do to prepare for the GDPR?
Data security and privacy are top priorities for Linc. Our privacy team analyzed the requirements of the GDPR and have enhanced our policies, procedures, contracts and platform features to ensure alignment with the GDPR and enable compliance for our client Controllers. To demonstrate our dedication to security and privacy we have completed the following:
- Appointed an internal data protection officer (DPO)
- Linc Global, Inc is Certified with the EU-US Privacy Shield framework (Linc’s Privacy Shield Certification).
- Procured a third party Dispute Resolution firm (TRUSTe)
- Procured an EU-based Member Representative (DP-Dock GmbH) who has one of about 10,000 individuals worldwide who holds the Certified Information Privacy Professional for Europe (CIPP/E) certification
More information on our current security practices, as well as specific information for EU Residents can be found on our Policy Page.
What should Linc customers do to prepare for the GDPR?
If your organization is a Controller or Processor of EU resident data, it will be critical to establish compliant security and privacy practices. The following steps will allow you to achieve compliance:
- Tone at the top is key. Establish support at top levels for GDPR compliance efforts, and designate a data protection officer (DPO) to oversee the compliance efforts.
- Review current security and privacy efforts and perform a privacy impact assessment (PIA) over high-risk data processing activities. Results of the PIA should drive the establishment of new control activities to mitigate the identified risks.
- Ensure transparency with data subjects. Data should only be used for the purposes specified in agreements and privacy notices and should only be transferred to third parties that are disclosed in agreements.
- Keep a record of compliance activities. It always helps to have a detailed record of the work your organization has done to comply with the GDPR. Whether it’s a PIA, policy document, or consent form, etc., documentation of security and privacy practices will assist your organization in demonstrating its compliance with the GDPR.
If you or anyone in your organization has questions about the GDPR, or any of Linc’s security and privacy practices, please do not hesitate to contact our security team at firstname.lastname@example.org.