The General Data Protection Regulation (GDPR) is an EU regulation that expands the protection of personal data
of EU citizens. In doing so, it also expands the obligations of organizations who collect or process that data.
The goals of the GDPR are to increase transparency and fairness in the handling of individuals’ personal information.
Personal data is any information relating to an identifiable individual.
Enforcement of the GDPR began on May 25, 2018. All organizations needed to be aware of their responsibilities and ensure that they were compliant with GDPR by May 25, 2018. Non-compliance can result in hefty fines.
The following information is provided to help you understand general concepts about the GDPR. It is not legal advice, and you should speak to legal counsel regarding the GDPR and how it affects your organization.
The GDPR applies to any organization that is organized in the EU and any organization that processes personal data of EU citizens.
Organizations are classified as processors or controllers of personal data. Organizations that determine the purpose of the storage or processing of personal information are considered controllers. Organizations that store or process personal data on behalf of another organization are considered processors. Some organizations may be both.
When it comes to the personal information I enter into Salesdoor, is my organization a controller or a processor?
Because you control and manage the data you enter into the CRM, you are the controller for that data. You decide how that data is used, how long to keep it, how often to update it, etc.
Salesdoor is a Processor. Salesdoor is the Processor of the personal data you manage in our systems. We store the data for you and process it per your actions in our applications.
Every organization may be different due to their role in managing user data. For example, some organizations
will be both controllers and processors. In general, you must have processes in place to follow through on
requests from your users regarding their personal data.
We have been fully Compliant Since May 25, 2018. These are just some of the many steps Salesdoor has taken to meet
the data transparency goals of the GDPR. This continues our practice of protecting your data and providing for
the legal and secure handling of your organization’s critical business information.
We have amended our Data Processing Addendum (based on Model Contractual Clauses) to be compliant with the data processing requirements of GDPR.
New & enhanced rights for data subjects- This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
Explicit consent- Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
Right to access- At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
Right to be forgotten- The data subject can request the controller to remove their personal information from the controller's systems.
Obligations of the processors- GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
Data Protection Officer- Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
Privacy Impact Assessments (PIA)- Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
Breach notification- Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Data portability- The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
Contract- This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).
Legal Obligation- This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
Vital Interests- This applies to urgent matters of life and death, especially with regards to health data.
Public Task- This applies to activities of public authorities.
Legitimate Interests- Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
Consent- Consent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer's personal data. The organization must also conduct an LIA to show that the processing is necessary.
The assessment of whether a legitimate interest exists.
The establishment of the necessity for processing.
The performance of the balancing test.
Here are some links you can refer to for additional reading on the GDPR: