The “General Data Protection Regulation” or GDPR is a new comprehensive data protection law in the EU (including the UK post-Brexit) that comes into effect on May 25, 2018. The GDPR updates the existing EU privacy laws in order to strengthen them in light of rapid technological developments and more complex international flows of personal data, and to give EU citizens better control over their personal data in the digital world. The GDPR regulates and unifies across the EU how organizations can collect, store, process and transfer the personal data of EU individuals with a single set of rules.
Personal data is any information relating to an identified or identifiable natural person, or so-called “data subject.” The GDPR expands and clarifies the concept of personal data. Identifiers such as a name, identification numbers, location data, and online identifiers (such as IP addresses), are considered personal data.
Under the European data protection law, organizations processing personal data are divided into: “Controllers,” those entities controlling personal data, and “Processors”, those entities processing personal data only on the instructions of the Controllers. For instance, Brand Embassy is a Processor. The GDPR applies to both Controllers and Processors. Another category called Sub-processors are those entities performing personal data processing for Processors (other organizations). The GDPR applies to those entities too.
The GDPR applies to all organizations processing the personal data of EU citizens (data subjects), regardless of the organization's location. “Processing” means any operation performed on personal data, such as collection, storage, transfer, dissemination or erasure.
The GDPR changes existing EU data protection laws in several ways. Most importantly, it enhances data privacy rights for individuals. While the basic concept of personal data largely remains the same, the GDPR expands and clarifies the concept of personal data. The GDPR also comes up with enhanced obligations for data management by organizations, and a new regime of fines for organizations that do not comply with the law.
The GDPR provides expanded rights for EU citizens (“data subjects”) such as:
The GDPR unifies and creates consistency across EU member states on how organizations can collect, store, process and transfer the personal data of EU individuals with a single set of rules. Organizations will need to ensure the security of the data they are processing and demonstrate their compliance with the GDPR on a continual basis. It’s important to implement and regularly review robust technical and organizational security measures, as well as compliance policies.
We have a data protection team of senior members of the legal, data and security sectors, ensuring that Brand Embassy is GDPR-compliant and performing regular reviews.
We’ve made a new data processing addendum (available here https://www.brandembassy.com/legal/data-processing-addendum), which reflects the GDPR standards.
We also apply data protection mechanisms and procedures in our design principles for every new feature, product and enhancement.
High security measures are applied to all data, not only EU citizens’ data. We believe this will help you to comply with data protection regulations in multiple frameworks around the globe.
Brand Embassy's top priority is data security and we are committed to protecting the personal data that we may handle as part of our processing activities. We offer an industry high standard data protection agreement that customers can execute and sign with us. Our DPA is available here: https://www.brandembassy.com/legal/data-processing-addendum.
Brand Embassy has implemented processes and tools to help you manage requests from data subjects including the deletion of personal data (“the right to be forgotten”), as well as access to personal data, modification (rectification), and portability.
Customers can contact us at firstname.lastname@example.org to request those actions required by data subjects. There will be an approval process in place in the early stage to make sure we are deleting the data as requested and the process will be continuously reviewed and iterated. To perform these actions we may also require that additional information such as post/message IDs or customer IDs are available and visible in the Brand Embassy Platform. Our privacy team is fully dedicated to providing the necessary support or guidance.
Customers can also use programmatic options to automate key processes by using Brand Embassy API for the GDPR. There is no one-size-fits-all approach for automated deletion and customers should design their approach and then consult with our Solution Designers, who will find the best scenarios to build it on top of the Brand Embassy Platform and configure the necessary processes if needed.
As far as the personal data in relation to Brand Embassy is concerned, please contact the relevant data Controller or contact us at email@example.com, and we will be happy to assist with your questions or requests.
No. The GDPR does not specifically require you to encrypt your data. The GDPR does not define specific security measures, however it does require organizations take technical and organizational security measures appropriate to certain risks. Encryption may be appropriate in certain cases, but not specifically mandatory by the GDPR in every instance.
No, the GDPR does not require that EU personal data stay in the EU. However, Brand Embassy generally stores the personal data of EU citizens on data centers in the EU. Also, data transfers of personal data outside the European Economic Area (EEA) generally require that valid and appropriate safeguards are in place to protect the data once it leaves the EEA (Chapter V, Articles 44-50).
Brand Embassy's security measures and GDPR readiness program include regular reviews of the compliance of vendors that handle personal data on Brand Embassy’s behalf.
Please contact your account manager or contact us at firstname.lastname@example.org, and we will be happy to assist with your questions.