Key Changes Coming With The EU General Data Protection Regulation

Update March, 2018: LiveAgent is fully GDPR compliant

A new data protection law is coming into force in the EU: the EU General Data Protection Regulation (GDPR).

It is intended to increase the level of protection around the personal data of EU citizens, and to tighten the rules around how that data can be transferred and stored overseas. Another primary goal of the GDPR is to unify the law across the EU region: previously, each EU country was required to implement local laws to comply with the EU Data Protection Directive, which left uncertainties for providers operating region-wide.

For users of LiveAgent, you need to be aware of the changes that the GDPR will make now that it is coming into force soon, as while EU law may not have affected you before, it may do so now.

Who the GDPR Applies To

The GDPR applies to all data controllers and processors dealing with the data of EU citizens, also known as “data subjects”. Previously, EU laws applied only to EU-based businesses dealing with the data of EU citizens; now, it applies to all data controllers, not just those based in the EU.

Data controllers are people, bodies, companies, or agencies that determine what data will be collected, for what purpose, and how it will be done. At a basic level, data controllers are the people or companies collecting data for some purpose (such as creating a customer profile). Data controllers will include people using tools such as LiveAgent to collect customer data.

Data subjects are the people who can be identified, directly or indirectly, by way of the information collected about them. That information may be something like their location data, an online identifier (like a helpdesk ID) or information about their physical, genetic, mental, economic, cultural or social identity.

One way in which the personal data of an EU citizen could be collected when using LiveAgent is when you build a database of contacts, their information, and business dealings with them (i.e. a CRM system). Not all customers will be “data subjects”, as data subjects are only individuals. Some of your customers may be businesses or government organisations, which the GDPR does not apply to. In addition, not all of the data you collect about your customers will be “personal data”. Nonetheless, it’s important to assess your data collection practices in light of these recent changes to the law.

If you are using LiveAgent or any other program with CRM and information storage capabilities, you should be aware of the changes made by the GDPR.

The Role of the Data Protection Officer

The Data Protection Officer (DPO) is a new role established under the GDPR. A DPO needs to be established by some types of businesses who deal with the personal data of data subjects.

The DPO role is necessary if your business collects and processes data on a large scale. You also must establish a DPO if your organisation collects “sensitive” information such as racial or ethnic origin, political opinions, or religious or philosophical beliefs. The DPO will perform duties such as setting up training sessions for your staff, creating data protection policies, and providing internal compliance updates so that your business can stay on track.

Storing Data Outside the EU

You also need to be careful about where you store the information you collect. For the data of EU citizens, you can only store it in certain countries. This was also the case under the EU Data Protection Directive (the previous law), but the penalties now for non-compliance are much stricter. So far, the permitted countries outside the EU are Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. All EU countries are also included in the permitted countries list automatically.

The EU Commission had previously stated that the US was a permitted country due to the US-EU Safe Harbor agreement. However, this agreement was recently struck down.

A new agreement has recently been put in place between US and the EU, called the EU-US Privacy Shield. The EU Commission approved this agreement on 2 February 2016, but the Privacy Shield is still facing criticism from various parties. Both privacy advocates and lawyers have stated that it is not sufficiently clear and does not outline in enough detail how it will protect consumers, which means that some changes to the Privacy Shield may still be in the works.

Developments in this area need to be watched carefully, to ensure that as new changes are brought in you are aware of what your obligations are if you are storing the data of EU citizens in the US.

Increase in Penalties

As noted, the GDPR also comes with an increase in penalties for those who infringe its provisions, up to a total of 4% of the business’ global turnover. This is quite a hefty fine, for each violation, so if you intentionally flout the provisions of the GDPR and deal with the data of multiple customers incorrectly, you could be on the hook for massive amounts of money.

What do Users of LiveAgent Need to Do?

The first thing you need to do is ensure that you have a comprehensive Privacy Policy set up. It needs to cover:

• Who you are
• That you will collect and process personal data fairly and only for specific (and stated) purposes
• What you are collecting
• How customers can keep their personal data up to date and accurate
• Your contact details as well as the details of your DPO
• Why customer data is being collected, and how long it will be kept for
• How the customer can access the data, update it or have it removed
• The contact details of the supervisory authority
• Whether the data will be transferred outside of the EU, and if so, where it is going and how well it will be protected

Ensure that you get agreement to your Privacy Policy in a legally binding way, by displaying it using a clickwrap method. Clickwrap is where the user shows their consent by clicking “I agree to the Privacy Policy”. The easiest way to do this on your website is to include a checkbox in your user sign-up forms or other web forms.

Here’s an example of this from Drupal.org:

Be aware that the Privacy Policy and Terms of Use are both clearly hyperlinked in the image from Drupal above. This is because one requirement of having a legally binding agreement with your users is that the appropriate document is clearly brought to their attention when they agree to it.

For users of LiveAgent, you could get agreement to your Privacy Policy when a customer signs up to your mailing list, or when you send them initial contact via email. If you first gather their details over the phone, let them know you’ll be sending a follow-up email with important Privacy information in it.

Next, ensure that you appoint a DPO and EU representative if appropriate for your business. Finally, make a note to check where your data is stored – is it in a suitable country, or do you need to change cloud providers?

Conclusion

Complying with the GDPR is something that all users of LiveAgent need to have on their radars. Compliance measures for many will be simple, and will be little more than implementing a good Privacy Policy. Others will need to appoint a DPO and an EU representative, and may need to assess reputable cloud providers if they are currently storing data outside an EU-approved country.

Andrej Csizmadia

Our website uses cookies. By continuing we assume your permission to deploy cookies, as detailed in our privacy and cookies policy.