General Data Protection Regulation (GDPR) is a European Union (EU) privacy regulation that was signed into law April of 2016. By May 25th 2018, businesses worldwide need to be in compliance.
GDPR makes EU privacy regulations far more expansive than they've been in the past. No matter where you are in the world, you need to become familiar the changes in the law so you know its impact on your business.
ActiveCampaign will be in compliance ahead of the May 25th, 2018 deadline.
You may have questions about what it is and what it means. We've compiled a list of common questions to give you a heads up if you're out of the loop.
What do you have to do?
As far as your service with ActiveCampaign goes, you don't have to do anything. We'll take care of adapting ActiveCampaign to accommodate GDPRs terms before the May 25th 2018 deadline.
However, we do encourage you to seek professional legal advice for how GDPR may impact your business in general. As you'll see below, there aren't many companies that do business online that aren't impacted by these new regulations.
Who does GDPR apply to?
Everyone. This isn't a regulation that only applies to organizations in the EU, as it was in the past. If you have a website and it's possible for an EU resident to visit, you're affected, so you need to know what is going on. It applies to businesses, non-profits, government agencies, and other organizations. It applies to organizations in the EU, organizations that offer goods and services in the EU, and any organization that collects data on EU residents. Everyone.
When do I need to comply?
May 25th, 2018.
What happens if I don't comply?
There are penalties and fines for not complying. It's not something you need to be scared of or worry about. Every business is in the same position as you and, as the deadline nears, you'll hear more and more about the changes you need to make. It's unlikely it will sneak up on you.
That being said, the fines are severe (up to 4% of revenue or $20 million), so it's definitely something you want to stay ahead of.
What personal data is GDPR concerned with?
The GDPR considers any data that can be used to identify an individual as personal data. In addition to the information you'd expect, like phone numbers, email addresses, zip code, purchase history, etc. the definition of personal data has been expanded to include:
- Data you'd get from analyzing a biological sample such as genetic markers for diseases and disorders.
- Mental or physical health
- All health records would be protected including visits to the doctor, insurance information, psychological diagnoses, etc.
- Cultural, political, or religious
- Political affiliation, for example, or whether someone is the member of a trade union.
- Employment status, employer, position, or compensation.
- Social information
- Facebook friends, Instagram followers, tweets you've liked, events you've attended, etc.
There's very little data that isn't considered personal data and protected by the new regulations.
How can you get consent to obtain, store, and process personal data?
Consent statements can no longer be buried in pages of legalese. Rather, simple, straightforward language needs to be used when obtaining consent. These statements also need to make it clear how the information will be used.
From now on organizations need to be able to prove that affirmative consent to collect and process data was given. This consent has to be specific to that data and it must specify how it will be processed. If it will be processed in more than one way, each of those processes must be stated and affirmative consent must be given for each one. You can't have a single blanket statement that applies to all data and all processes. Fresh consent must be obtained before they can alter the way they are using data.
You'll need to obtain these permissions for EU residents, whether or not your business is based in the EU.
Also noteworthy is that the GDPR regulations apply to data that was collected in the past. Old data is not grandfathered in. You'll need to get fresh, affirmative consent for all the personal data you possess.
What is the “Right to be forgotten?”
Data must be deleted at the request of the data subject. In addition, organizations can only store data for as long as absolutely necessary and they cannot use data for any other purpose other than consent was obtained for.
What is “Data Portability?”
The GDPR specifies that individuals can move, copy, and transfer their personal data across different services in a safe and secure way.
Will ActiveCampaign be using the EU-US privacy shield?
We'll have more information on this when we post an update later this year.
What changes will ActiveCampaign make to its platform to comply?
Details on the specific changes coming to the platform will be relayed by the end of this year. We're busy considering the impact of the regulation and how to best incorporate the necessary changes into our platform. We're being extremely thoughtful and careful so that we ultimately do what is best for you, our user, and your customers.
Rest assured, the ActiveCampaign platform will be fully compliant with GDPR in advance of the May 25th 2018 deadline.
If you have additional questions about GDPR, we recommend that you get in touch with a qualified legal professional. We're unable to provide specific guidance on how you should prepare.
This is a commentary on GDPR as ActiveCampaign interprets it. This document is provided for informational purposes only and should not be relied on as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a qualified legal professional to discuss GDPR and its impact on your organization to ensure compliance. ActiveCampaign makes no warranties, express, implied, or statutory, as to the information in this document.