The new European regulation on personal data protection, which will come into force in May 2018, will have significant consequences for all companies.
The European Union has adopted a new personal data protection regulation that comes into effect in May 2018. This new regulation aims to strengthen the control that individuals have over their personal data, while imposing new obligations on companies. What are the main changes being introduced by this new European regulation? How should you prepare for it?
Why is there a new data protection regulation?
Anew European regulation on personal data protection – the General Data Protection Regulation (GDPR) – was adopted in April 2016, while coming into effect on 25 May 2018.
Initiated by the European Union, this regulation will result in significant changes to the collection and use of data. It pursues several objectives:
- To standardize personal data protection legislation at a European level.
- To provide European individuals with increased protection for and control over their data.
- To adapt the legal framework to the development of new and digital technologies. The GDPR will replace a 1995 European directive.
This regulation will have to be implemented by all companies that collect and process personal data.
The regulation defines data as "any information relating to an identified or identifiable natural person", either directly (for example, a name)or indirectly (email, telephone, online identifier, etc.).
The GDPR affects European companies as well as non-EU companies that process data from European citizens.
MyFeelBack : GDPR-Ready!
Discover how to ensure your MyFeelBack campaigns are in line with the GDPR.
01 | The means deployed to secure the data
This involves the implementation of data security policies that have been adapted in consideration of identified risks, privacy and the management of security breaches, among others…
>> In your MyFeelBack account
A. Request a copy of the ISSP
To obtain your copy of the Information Systems Security Policy (ISSP), contact your dedicated Success Manager directly via the contact bubble in your MyFeelBack account.
Click on the bubble
Make your request in order to get your ISSP copy.
B. Encrypt certain sensitive data
In order to encrypt sensitive data relating to your respondents, you encrypt the desired attributes simply by individually selecting the elements in the Tracking > Attributes menu and then selecting Yes for the option “Encrypt this attribute”.
02 | Data collection controls
Your data collection should be limited to customer data that are strictly necessary to the success of your project, including response analysis, trigger actions following each response and re-integration into your software ecosystem. You must also limit the data retention period and inform your customers of the duration chosen.
MyFeelBack applies a standard 24-month data retention period ahead of the anonymity and archiving of such. This period can be reduced on request to your account manager in order to meet your requirements.
Before the expiry of this period, we suggest that you export your account data in CSV format by generating a custom export. For assistance with this, you can read the article “Export your data".
>> In your MyFeelBack account
To do this, go to the menu Settings > Deployments > Additional content.
Use the header, footer, and info button to display custom texts.
B/ Enable or disable the respondent’s IP location.
Thiscan be useful, for example, in the case of a localised service search.
Go to the Deployments menu, open your deployment followed by the Settings for your deployment, and then check or uncheck IP location.
When this is not required for your project, we suggest that you deactivate it.
03 | Strengthening the obligations relating to prior information and consent.
You must be very clear about the purpose of your data collection and get the explicit consent of your contacts (opt-in).
>> In your MyFeelBack account
Add an Opt-in question to your surveys and specify how the collected data will be used in the future. To include such a question in your campaign, click Add element, then, in the Free Field category, select the Opt-in element.
You can detail the collected data’s intended use by simply entering an explanatory note in the Help Text field.
04 | Means for meeting traceability requirements
A. Conduct an impact analysis (PIA)
If you have identified personal data being processed that could result in some form of increased risk, you will need to undertake a Privacy Impact Assessment (PIA). To help you to do so, the CNIL (French Data Protection Authority) has designed a diagram for you to better understand what your obligations are.
B. Map your personal data processing activities
The GDPR provides for the use of records to accurately detail the personal data processing activities that you undertake. Keeping a record of the processing enables you to be up to date with how your data is used (more information available on the CNIL website).
The processing details for your collected data can be accessed directly within each of your campaigns. Just open your Campaign and you will then find all the processing activities undertaken before, during and after your data collection under the different tabs.
Here are some examples of questions for which you will find your answers for each of the tabs (content, actions, segments, deployments, stats), thus enabling you to easily fill out your records.
Example:in the Actions tab, enhance your CRM with the data derived from your participants' responses via the Feed an application action.
Once the information has been correctly identified, all you have to do is complete the data processing record sheet by adding the information available in your MyFeelBack account.
The GDPR is also:
Strengthens the power individuals have over their own personal data.
The regulation provides an option for people to retrieve their data for reuse (data portability). It also defines a right of access, a right of rectification and a right to erasure (“right to be forgotten”).
Contact the support department to undertake the procedure for permanently deleting data relating to an individual who has asked to exercise their right to be forgotten.
Protects individuals against profiling abuse.
Any given person has the right to be informed of the existence of profiling.
The new regulation also provides for the right not to be the subject of a decision based exclusively on automated processing.
Are you a customer or prospective customer?
Contact us! We are at your disposal to answer any questions you have in relation toyour GDPR compliance.