What is the GDPR?
The EU GDPR (General Data Protection Regulation) is a law that deals with data privacy in the European Union. As a regulation, rather than a directive, the GDPR is enforceable and carries large fines for non-compliance. Overall, the GDPR was created to further safeguard data privacy for citizens of the EU, while standardizing data privacy laws in Europe and changing how organizations manage data privacy.
How did Brexit affect the GDPR?
As of December 31, 2020, when the Brexit transition period came to a close, the EU GDPR no longer applies to the UK. Going forward, UK data protection will be regulated by the UK GDPR, which is largely the same as the EU GDPR. Learn more about the shift. FormAssembly is compliant with the UK GDPR, but it is up to applicable companies to make sure that their privacy policies, disclosures, and processes take into account and reference the UK GDPR as needed.
Who does the GDPR apply to?
The GDPR has significant extra-territorial reach, potentially extending to organizations worldwide. The GDPR applies to:
- Organizations in the EU which process data as part of their EU establishment (i.e., their legal and physical presence in the EU)
- Organizations that are outside of the EU (i.e., based in any location in the world) which process personal data as part of:
- Offering goods or services to data subjects that are in the EU; or
- Monitoring the behavior of data subjects in the EU.
Why is it important?
The GDPR significantly increases the existing level of fines for data privacy non-compliance. For the most serious breaches, fines may be as high as 4% of the total worldwide annual turnover or €20,000,000 (whichever is higher). Consequently, data privacy compliance is now as important as antitrust or anti-bribery and corruption compliance on the corporate compliance agenda.
Apart from headline fines, the GDPR’s expansive territorial scope is likely to result in the GDPR defining future global data privacy practices. Many of the GDPR’s provisions can be expected to become a “gold standard” and shape legislative and regulatory thinking across the world. In times of growing customer sensitivities over data privacy, being at the forefront of data privacy protection is an integral part of any business’ customer service. GDPR compliance is an essential first step.
What is new about the GDPR?
- New obligations
These include stricter requirements for gaining valid consent for collecting data; data breach notifications; the requirement to appoint a local representative in the EU to be the point of contact for EU individuals and EU regulators; and the requirement to appoint a Data Protection Officer. The new requirement for businesses to notify EU regulators (and, in certain circumstances, data subjects themselves) of data breaches within 72 hours of becoming aware of a personal data breach is an onerous new obligation and one which will be subject to substantive negotiation in data processing agreements.
- New processes
These include the increasing importance of data protection impact assessments; internal record-keeping and accountability; the implementation of robust information security measures, particularly anonymization and pseudonymization of data; and the incorporation of “privacy by design and default” principles into the heart of an organization’s operations. A substantial part of the negotiation of a data processing agreement is likely to concern data security standards and whether these standards are “adequate” as judged against the risk of the processing.
- New or enhanced rights for data subjects
These include the right to erasure (commonly known as the right to be forgotten), right to data portability, right to object to profiling, and the right to restrict processing. These new rights will require organizations to have the necessary technical and administrative systems and protocols in place to give effect to the rights within the timeframes and in the manner required by the GDPR. Data controllers (i.e., organizations that determine the purpose and means of processing) are therefore likely to require a much greater level of assistance and cooperation in data processing agreements so that they can comply fully with data subject right requests and other administrative requirements.
What rights does the GDPR include for individuals?
The GDPR covers several individual rights regarding the data that organizations collect, including “the right to be informed,” “the right of access,” and “the right to erasure.” View more information about these rights on ico.org.uk.
When did the GDPR officially go into effect?
The GDPR went into effect May 25, 2018.
What are the fines for not following requirements of the GDPR?
The maximum fine for GDPR non-compliance is 20 million euros or 4 % of annual global revenue. Both data controllers and data processors could face these fines.
What does the GDPR mean for you as a FormAssembly customer?
Compliance with the GDPR is a shared responsibility between the Data Controller and the Data Processor. If the GDPR applies to you, FormAssembly is processing data on your behalf and per your instructions, which makes us the Data Processor, and you, the Data Controller.
As your Data Processor, we will enter into an additional agreement (the Data Processing Addendum) which contractually binds us to meet our Data Processing obligations to protect the rights of the data subjects.
We will also, to the extent possible, assist you in meeting your obligations under the GDPR, such as retrieving, editing or deleting personal data, or obtaining and preserving proof of consent when applicable.
What is FormAssembly doing to ensure GDPR-compliance?
FormAssembly’s robust Information Security procedures and policies are designed to meet the requirements of the GDPR and other strict requirements such as PCI Level 1 and the U.S. HIPAA regulation. Additionally, we provide an updated agreement that includes the legal provisions required by the GDPR.
By choosing FormAssembly as your Data Processor, you will meet your obligations under Article 28 of the GDPR to work with a Data Processor that implements appropriate technical and organizational measures and ensures the protection of the rights of the data subject.
Do you offer a Data Processing Agreement that addresses GDPR?
Yes. In addition to our standard Terms of Service and Master Service Agreement, a Data Processing Agreement is required for all customers in the European Union, or customers who qualify as a Data Controller under the GDPR. Customers affected by the GDPR must review and sign our Data Processing Addendum.
The Data Processing Addendum includes provisions between the Data Processor (FormAssembly) and the Data Controller (you, our customer) that are mandatory under the GDPR.
Please note that FormAssembly cannot make a determination as to which customers are affected by this regulation. Customers are invited to make their own determination and request our Data Processing Addendum as needed.
Is FormAssembly compliant with the EU-U.S. Privacy Shield Framework?
Can data be stored in EU data centers?
Yes, our Enterprise Cloud and Compliance Cloud customers have the option to have data stored in EU-based ISO 27001 certified data centers, to facilitate compliance with data residency requirements. Note that data does not have to be stored in the EU for compliance with the GDPR.
What is informed consent, and can I gather it with a FormAssembly web form?
Under the GDPR, the requirement for consent is a “freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data” and must specifically cover all of the processing activities. Any request for consent must be in clear and plain language and easily distinguishable from other matters. The GDPR requires a “clear affirmative act,” which can be through an electronic signature, ticking a tick box, etc. Silence, pre-ticked boxes, or inactivity on the part of the user do not constitute consent.
We will provide further guidance on how to obtain consent through a web form, but ultimately, under the GDPR, FormAssembly is considered a Data Processor, and obtaining consent is the responsibility of the Data Controller (our customer).
Note that Informed Consent is one valid basis for lawful collection and processing of personal data, but there are others which are equally valid, including performance of a contract or the Data Controller’s “legitimate interests” (See Article 6 of the EU GDPR).
Will data be transferred out of my region at any time?
No. Your data will stay in the region you specify.
Disclaimer: This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.