PeopleVine is GDPR Ready.
What does that mean?
In this article we'll detail the requirements and provide a checklist for both understanding GDPR and helping to ensure you comply with GDPR.
***We highly recommend you consult with an attorney or privacy and compliance specialist before signing off that you're GDPR Compliant.
Becoming GDPR Compliant
This can be broken down into a few sections:
- Your Data and what you do with what you collect
- Accountability and Management of the data you collect
- Your Customer's Rights with their own data
- Getting Consent to not only opt-in but also process their data
- Advanced Use Cases when processing data beyond our platform
Lets start with Your Data or rather Your Customer's Data, as we provide you with ownership over that data (as it's not ours). So it's important that you're aware of the following:
- Know what's happening to your data, not just in PeopleVine, but when you export it, connect to our API or even post on your website or portal.
Some things to keep in mind: 1) know what you're collecting and why, 2) what was the source of that info (if outside of PeopleVine) - you can label your imports, 3) who you share it with (when exported, posted elsewhere or via API), 4) what you or they do with it and 5) how long is it kept (in PeopleVine, it's kept until you delete it).
- Know where your data sits, well that's easy as more than likely you're leveraging all of PeopleVine's robust features! But seriously, when you export data from PeopleVine, where are you putting it (keep track of this). If you're sharing with others, what are they doing with it?
Remember it's not only about where you download your data to, but it's what you display to people on your website or portal. We have you covered there too (as long as you leverage it). Within just about every element you create (content, directory, events, schedulers, etc.) you can assign permissions to anyone, members of groups or only admins in order to prevent unauthorized access.
Check out this article on how to replace our default ones. If you do something with the data outside of our platform, please make sure you update your policies AND if you do process their data, make sure it's in a lawful basis.
Great, we hope that first part made sense, best of all if you keep the data in PeopleVine, then you're that much closer to being compliant!
Now lets look at Accountability and Management of the data you are collecting. This is really focused on how you leveraging our platform as well as others when processing the data.
- Make sure you appoint someone at your company who understands how to protect your data and what to do in case of an emergency. They would create awareness among decision makers about GDPR guidelines. They would train the rest of your team on how to protect your data.
This person would be known as your Data Protection Officer and would help ensure compliance throughout.
- Make sure your technical security is up to date. This would include computer updates, network updates, security/passwords, connected devices, software installed, etc., but you should've already had that covered!
PeopleVine also helps ensure you meet these requirements as it relates to your site. For example you can easily enable SSL for data capturing sites (SSL is included in most of our plans). We also completed a series of penetration tests, performance tests and more to ensure PeopleVine can withstand the test of time.
- Now, this is the tricky one, but if you operate outside of the EU, then you should have an appointed representative in the EU in case local authority needs to contact someone. We recommend looking for attorney offices in the UK (or other parts of EU) that can be available as needed.
- If there is a data breach involving personal data, you must report it to a local authority and to the people involved. So make sure you know where your data is once it leaves PeopleVine!
OK, now you need to be aware of Your Customer's Rights and their New Rights too.
- We've made it easy for your customers to get access to and update their personal information and the information you capture by providing self-service tools. Just add these to the end of your registered domain in PeopleVine (and we include most of them throughout standard pages/navigation):
- /account/edit which allows your customers to edit their profile. You can also assign a set a form of questions/attributes that would allow people to opt-in and out of certain marketing lists
- /account/memberships allows members to edit their member/public profile
- /account/businesses provides people with company profiles in the directory with access to manage those
/contact in case they need to get a hold of you.
- No matter how people interact with PeopleVine, there's always a way for them to edit and view their data. Make sure that any other provider you work with does the same!
- In many areas of PeopleVine and expanding throughout, you will find the ability to delete and/or archive data. When you press delete, it will remove the information permanently. Also on the customer profile admins have access to Wipe Person which will completely erase people from your database along with all their past touchpoints.
In order to remain compliant with GDPR, we will be setting up automated purging of any data set to archive 90 days after it's set to archived.
Just make sure, when your customer requests to be removed or requests access to their info, that you provide it to them. Data can easily be exported in PeopleVine with the ability to print out their personal profile as well.
- Honor their opt out, if they want out, let them out. Maybe, when they're interested again, they'll opt in again.
We've made it really easy to opt-out by 1) providing both an Instant Opt Out and an Edit My Preferences link at the bottom of each marketing newsletter, 2) they can reply STOP (or other words) to opt-out of SMS messages, 3) allow them to easily edit their account at /account/edit and 4) the ability to opt-out when engaging with new experiences.
- If you are processing children's personal data, you must verify their age and ask consent from their legal guardian. So make sure you ask for these by attaching a form to the experience they're interacting with and block access until you have consent.
Whoa, if you made this far, then you're that much closer to being compliant!
If you have Advanced Use Cases then check out these final thoughts. If you don't have advanced use cases, then scroll down for more notes:
- Make sure you regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to. We'll help you with as much as we can and as quick as we can. But reach out if you need help.
- If you're carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people (what are you doing???), then you may need to conduct a DPIA (if this is you, then google it as you're much more technical than us).
- Your data, or at least the data that sits in PeopleVine currently resides ONLY in the United States of America on the West Coast, East Coast and Midwest data centers hosted within Microsoft Azure's cloud. We will continue to expand our presence to other data centers throughout the world where they comply with GDPR and other regulations.
In this case we also recommend that anywhere you transfer your data to outside of the EU also ensures they meet the same or better levels of protection like the GDPR.
Now, that's all we have to offer on GDPR and as you've seen PeopleVine has already helped you comply since day one with our robust toolset!
With that being said, here are some great resources on GDPR (but please contact a GDPR consultant/attorney to ensure you are 100% compliant):
- Official EU GDPR Regulations
- Wikipedia General Data Protection Regulation
- Web Based Version of the full General Data Protection Regulation
- Microsoft Trust Center: GDPR Compliance
This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. To sum it up, you may not rely on this article as legal advice, nor as a recommendation of any particular legal understanding.