At CollegePlannerPro, our entire organization is hard at work ensuring that our own practices are GDPR-compliant. But equally important to us is helping you understand what the GDPR means for your business and build compliant processes of your own.
What is GDPR?
GDPR or the General Data Protection Regulation is a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses but also to any business that stores or processes data of EU citizens. The GDPR goes into effect on May 25th, 2018.
DISCLAIMER: This article is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how the GDPR affects you. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this article as legal advice, nor as a recommendation of any particular legal understanding.
I work with clients in the EU. What do I need to know?
Let's start with a hypothetical scenario that includes key GDPR terminology:
Sophia Loren is a contact of yours who resides in the European Union. She is called a "Data Subject" and your company (let's call it XYZ Consulting) is called the "Controller" of that data. As a CollegePlannerPro member, CollegePlannerPro acts as the "Processor" of Sophia's data on behalf of XYZ Consulting. With the introduction of the GDPR, data subjects like Sophia are given an enhanced set of rights, and controllers and processors like XYZ Consulting and CollegePlannerPro, respectively, an enhanced set of regulations.
Now that we have established an example, let's take a look at the key elements of GDPR and how they impact you and what you can do to protect yourself:
Lawful Base of Processing
Under the new regulations, you need to have a legal reason to use Sophia's data, and you need to be able to track down the specific legal reason for any given contact. Some examples of legal reasons:
- Consent - Sophia opted into receiving marketing emails from you.
- Customer - Sophia is a customer of yours and you want to send her an invoice
One type of lawful basis of Data Processing is consent with proper notice. In order for Sophia to grant consent under the GDPR, a few things need to happen:
- Notice - She needs to be told what she is opting into.
- She needs to affirmatively opt-in
- The consent needs to be granular, meaning it needs to cover the various ways you process and use Sophia's personal data (i.e. marketing emails and sales calls)
- You must log auditable evidence of what Sophia has consented to, what she was told, and when she consented.
- Individuals under the age of 16 cannot provide their own consent. A parent or legal guardian must consent on their behalf
Click here to learn more about the GDPR Tools module CollegePlannerPro has built to help you keep track of consent from Contacts, Parents, and Students.
Withdrawal of Consent
Sophia needs the ability as a Data Subject to see what she has consented to and withdraw her consent at any time.
There are many sites offering free website widgets to help comply with these new regulations. A quick Google search should yield you a number of options. As always, do your due diligence before making your selection.
Sophia has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent deletion of Sophia's information within 30 days from her initial request.
Just as Sophia can request that you delete her data, she can also request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you as the "Data Controller" need to provide the data, in some cases in machine-readable format (e.g. CSV or XLS).
Should you receive a request from a Contact, Parent, or Student for access to data you have saved within your CollegePlannerPro account, contact us at firstname.lastname@example.org for further assistance.
Sophia can also request that you modify her personal data if it's inaccurate or incomplete. If and when she does, you need to be able to accommodate that modification request.
Students with active CustomCollegePlan accounts can in most cases make the modifications to their personal data themselves. Parents and Contacts will need to contact you directly to make any modifications.