What is the GDPR?
With the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the European Parliament, the Council and the European Commission intend to strengthen and unify data protection and privacy for individuals within the European Union (EU). When the law takes effect in May 2018, it will trigger significant changes to how global brands approach online marketing, data protection and privacy policies.
It’s important to note that the new legislation also addresses the export of personal data outside the EU — effectively extending its application to any business with even a single customer in Europe.
- Date Enforcement Begins: May 25, 2018
- Fines: Up to €20,000,000 or 4% of total annual global turnover, whichever is greater, for the most serious infringements
- Liability: Individuals whose privacy has been infringed upon can easily bring private claims against data controllers, and data subjects who have suffered non-material damage as a result of an infringement to sue for compensation
- Changes: New elements and significant enhancements over current Data Protection Acts 1988 and 2003 (the Acts) requiring detailed consideration by all organizations involved in processing personal data
T-Minus 365 Days to GDPR. Are you ready?
to be fully compliant
If not, Gigya can help with a GDPR Readiness Toolkit that enables global businesses to begin preparing now. The kit was developed by customer identity experts, with resources designed specifically to help businesses prepare to meet GDPR compliance for their customer identity and access management (CIAM) solutions by the May 25th, 2018 deadline.
GDPR Readiness Toolkit for Customer Identity & Access Management
- Survey Guide – The 2017 State of Consumer Privacy and Trust: Compelling statistics and trends around customers’ opinions regarding data privacy and trust in their online experiences.
- CIAM Guide to Addressing GDPR Requirements: A practical guide to help businesses understand how Gigya’s customer identity and preference management solutions help clients prepare to meet GDPR compliance and other global data privacy regulations for their customer identity implementations.
- GDPR Technical Self-Assessment for CIAM: A self-service tool for evaluating businesses’ customer identity management practices to help determine the gaps and remediation needed to meet GDPR compliance.
- GDPR Compliance Matrix: A list of Gigya features that help clients prepare to meet the most complex requirements of the GDPR for their customer identity solutions.
Gigya and GDPR: Helping manage your customers’ data to keep you in compliance
As the leader in Customer Identity Management, Gigya has implemented systems and programs to achieve compliance as a data processor and to help our clients meet the challenges of the GDPR, including:
- A formal Information Security Management System (“InfoSec System”). This comprehensive set of written policies, procedures and practices is designed to ensure security for our clients’ data and confidential information and to effectively assess, manage, and respond to information security risks. Gigya is ISO 27001 and ISO 27018:2014 certified, and uses only SSAE-16 certified data centers to host its platform. Controls implemented as part of this InfoSec System include asset management, access management, change management, software development lifecycle management and vendor security screening. Download our data sheet to learn more about our industry-leading security and data privacy practices.
- Privacy by design processes. Our product and product marketing teams work closely with our Chief Information Security Officer to address privacy and security concerns when determining product feature requirements.
- A robust corporate privacy program. This includes operational procedures and privacy training and awareness building for employees.
Learn more about how Gigya approaches data security and privacy in our Trust pages.
Gigya’s Answers to your Questions about GDPR
As the leading provider of customer identity and preference management solutions, we are often asked by our clients about the upcoming European Union’s General Data Protection Regulation (GDPR) and what it means for their customer identity strategies. More importantly, clients are wondering what we will do to help them become GDPR compliant before the May 25th, 2018 deadline with respect to their customer identity and access management solution. We’ve gathered the most commonly asked GDPR questions and provided the answers to help you understand the complexities of the regulation and Gigya’s solutions to addressing those challenges.
- When is the GDPR coming into effect?
The regulation will take effect on May 25th, 2018.
- Who does the GDPR affect?
The GDPR will apply to organizations which have EU “establishments”, where personal data are processed “in the context of the activities” of such an establishment. GDPR also applies to non-EU established organizations that process the personal data of EU data subjects in connection with offering goods and services or monitoring their behaviour within the EU.
- What are the penalties for non-compliance?
Organizations may be fined up to 4% of annual global turnover or €20 million, whichever is larger, for breaching GDPR compliance. These fines are applicable even for businesses without a legal presence in the EU. Sanctions may also be placed on organizations restricting their ability to trade within the EU.
- Will the fines really be enforced?
It is too early to predict how various supervisory authorities will enforce their powers.
- What constitutes personal data?
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- What is the difference between a data processor and a data controller?
A data controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the data processor is the entity which processes personal data on behalf of the controller. Gigya is the data processor and our clients are data controllers.
- Can Gigya help clients become GDPR compliant when handling customer data?
Gigya’s solutions are built on privacy by design principles to help our clients meet the requirements of global data protection and privacy regulations for their CIAM solutions. While Gigya cannot determine every change clients must make, we can provide general “Privacy by Design” recommendations. Ultimately, final decisions must be made by our clients.
- What does ‘privacy by design’ mean?
Privacy by design is a collection of data privacy best practices woven through Gigya’s customer identity and preference management solutions. The privacy by design elements include consent management, recording consent, managing consent, user data rights and privacy by design defaults (ie. deletion of customer records, inactive accounts and other). Using these principles, Gigya’s solutions can help businesses address many of the requirements of the GDPR and other data protection and privacy regulations to ensure compliance and a transparent experience for customers.
- What other resources does Gigya have to inform our business about GDPR?
Gigya has created a free GDPR Readiness Toolkit which can be obtained at www.gigya.com/ReadinessToolkit. The toolkit includes a comprehensive white paper explaining how Gigya’s Customer Identity Management platform and Gigya Enterprise Preference Manager solution can help clients prepare for GDPR; a GDPR compliance matrix listing features of the Gigya’s solutions mapped to GDPR requirements; results from Gigya’s 2017 State of Consumer Privacy and Trust survey; and the Customer Identity Management GDPR Technical Self Assessment.
- What are the new requirements for consent?
Consent is subject to additional conditions under GDPR. For example, companies cannot rely on long incomprehensible terms of service agreements as a means of obtaining consent from online visitors. The GDPR specifies that requests for consent must be given in an intelligible and easily accessible form, with the purpose for data processing stated unambiguously. Consent for collecting and processing customer data must be clear and easily distinguishable from other contractual language.
Consent must also be simple to withdraw for customers, and proof of consent must always be readily available at the request of regulators or customers. Gigya’s consent management capabilities can help clients collect, store, manage and re-request customer consent.
- What is the new minimum age for consent?
The GDPR changes the minimum age of consent to 16 in the EU. Member states may set the age of consent as young as 13. To lawfully process the data of underage customers, parental consent is required. Gigya’s clients can implement parental consent flows on top of Gigya’s out-of-the box screen sets.
- What happens with existing customer data that was collected using different requirements for consent?
We recommend seeking legal advice for your specific situation. Gigya’s functionality does allow consent to be refreshed at any time.
- What are the new user data rights that have been granted by the GDPR?
Users must now be given more control over their data. These rights include the “right to be forgotten,” the right to freeze data processing, subject access rights, edit, download and delete data. Gigya’s customer identity and preference management solutions are built from the ground up with features to help clients address these new user rights.
- What is the “right to be forgotten”?
This is the right of the individual to have their personal data deleted “without undue delay” when, for example, data is no longer necessary for the specific purposes for which it was initially collected or processed. Gigya’s solutions allow clients to easily include a profile option for deleting or deactivating an account.
- Where should I begin to address GDPR requirements?
Companies are advised to seek advice from your own legal counsel to assess your own obligations. Gigya offers a Customer Identity Management GDPR Technical Readiness Self Assessment to determine compliance gaps with respect to your customer identity solutions, which should then be followed by action items with the GigyaWorks Global Services team to remediate those gaps.
Companies that seek professional legal help for in depth GDPR assessments can refer 3rd party organizations. One example of such a process is the UK Information Commissioner’s Office (ICO) self-assessment. Gigya cannot advise or address results from 3rd party GDPR self-assessments unrelated to managing customer data as they fall outside of Gigya’s core competencies.
- In light of ‘Brexit’, should UK-based data controllers seek to comply with the GDPR?
Any organization processing the personal data of EU data subjects must comply with the GDPR. It is important to remember that the UK will be a member of the EU until terms of the secession are finalized and it officially exits the Union – which is expected no sooner than 2019. The Information Commissioner’s Office (ICO) has already set the expectation that, upon its exit, the UK’s successive data protection law will be “essentially equivalent” to the GDPR.
- Does Gigya meets its obligations as Data Processor under GDPR?
Gigya expects to comply fully with its obligations as a data processor under the terms of the GDPR by the start of enforcement on May 25, 2018. To that end, Gigya works closely with reputable external counsel to ensure compliance, closely monitors Article 24 Working Party guidance and is already producing GDPR-ready contract documents with our clients.
- Does Gigya have a Data Protection Officer
Yes. Appointing a DPO is one of the GDPR compliance requirements.
- Will GDPR affect our ability to target users of our website?
Technically, the GDPR does not forbid any digital marketing activities that were allowed before. It does, however, introduce new requirements for obtaining explicit consent from EU consumers to perform such activities. For example, the GDPR requires that companies get specific consent from customers if they want to use profiling and segmentation to market to them using personalization and analytics technologies, a common practice in today’s cloud-driven digital markets.
- Am I required to provide customer data downloads upon request?
The GDPR requires all businesses to provide customers access to their personal data in a legible format that is easy to read by both people and machines.
- In what format should I make data available for export to customers?
Gigya allows clients to provide customer data downloads in both XML and and text formats.
- How can I be sure that a user’s data is amended or deleted everywhere that it is stored?
As part of the Customer Identity Management GDPR technical self assessment and the Privacy Strategy Workshop, the flow of customer data within the organization and among third-party technologies will be fully mapped so that the proper processes can be architected for editing and deleting data. Gigya’s solutions simplify this process by allowing clients to unify and consolidate internal customer databases. Gigya’s IDX marketplace features pre-built integrations into more than 50 marketing, sales and services technology partners. The Gigya Global Services team will ensure that you have a clear understanding of the flow of data, both within your internal systems and with any third-party technologies employed.