This is a copy of the email we sent to customers in June 2017.
We’re getting in touch because we’re a little less than a year away from the EU’s General Data Protection Regulation (GDPR) going into force. As an organization that collects the personal data of EU residents, you should be thinking about how your data processes may need to change in order to be compliant with the GDPR. We think most of our customers with members in the EU will need to change some aspect of how they operate before May 2018 when the new regulation goes into place.
If you haven’t already heard of the GDPR, here’s a quick summary: the processing of data about EU/EEA citizens is currently covered by Directive 95/46/EC. The Directive was adopted in 1995 and has various rules about the ways EU/EEA data can and cannot be processed, including restrictions on sending data to non-EEA countries. To allow organizations to remain compliant with the Directive while easily processing data in countries with weaker data privacy laws, certain mechanisms were created. These mechanisms include Binding Corporate Rules, Standard Contractual Clauses (Model Contracts), Safe Harbor – which was later invalidated – and Privacy Shield. In April 2016, the EU adopted the General Data Protection Regulation (GDPR), which will go into effect on 25 May 2018. The GDPR replaces the Directive, and like the Directive, it regulates the processing of personal data about EU residents*. Building on the spirit of the Directive, the GDPR has a larger reach, stricter regulations, and large fines for non-compliance. It is important that all organizations collecting and processing data about members in the EU understand the GDPR.
We aren’t legal experts, and we cannot offer you legal advice. However, more information about the GDPR, including the full text of the regulation, is available on the European Commision’s website: http://ec.europa.eu/justice/da
OK - now what?
This email is partially to ensure that the GDPR is on your organizational radar, and also to give you an overview of ControlShift’s interpretations and plans. We strongly recommend that organizations seek legal advice to ensure compliance with the GDPR and/or local laws. Once you have a clear understanding of how the GDPR will affect your organization, we’d recommend thinking about what steps you’ll need to take to ensure that all of your data systems – including ControlShift – are GDPR compliant. Just to reiterate: it’s likely that your organization will need to update its data collection and processing rules regardless of whether the data is collected via ControlShift or remains in the EEA for processing.
At ControlShift, our plans for helping our customers achieve GDPR compliance fall into three main buckets: technical changes, operational changes, and communication changes.
First, operational changes:
Transfers of EEA data to ControlShift (and therefore, the US) are currently governed by model contracts. These model contracts were drafted by the Article 29 Working Party, and include various provisions that allow for legal transfers of data from the EU to other countries under the Directive. Under the GDPR, model contracts should continue to be a legal basis for transferring data to the US.** (See: Article 46 of the GDPR.)
The GDPR sets out specific language that must be included in controller/processor contracts. (See: Article 28 of the GDPR.) Because of these requirements, we’ll probably need to execute new contracts with organizations that are processing EEA data. We’ll send you these new contracts once they’ve been finalized.
The GDPR requires that controllers and processors, in certain situations, appoint Data Protection Officers. (See: Article 37 of the GDPR.) The Article 29 Working Party has also released guidance on the DPO requirements, and it seems that ControlShift will need to appoint a DPO. Once we’ve appointed a DPO, we’ll let you know.
In addition to the DPO, the GDPR also requires that controllers and processors based outside of the EU appoint an EU-based legal representative. (See: Article 27 and Recital 80 of the GDPR.) This representative acts as a conduit to the local Data Protection Authorities and may be liable for non-compliance. This requirement, along with the DPO requirement, are some of the most onerous requirements for ControlShift. We’re working on a plan of action for compliance.
Our plans for compliance regarding the appointment of a Data Protection Officer and an EU-based legal representative as a Processor of personal data about EU residents does not obviate other requirements that you might have around appointing similar representatives as the Controller of EU data. As always, organizations operating in the EU should get their own legal advice about their data privacy regulation compliance.
For communication changes:
Under the GDPR, consent from members is more strictly defined than it is under the Directive. Specifically, the GDPR states that consent must be affirmative, informed, and specific. (See: Articles 6 & 7 and Recital 32 of the GDPR.) The GDPR specifically states that consent must be “given by a clear affirmative act” and “silence, pre-ticked boxes or inactivity” do not constitute consent. Given this new definition, your organization may wish review the current methods that you’re using to gain consent from data subjects. Based on our current understanding of the law, we’ll need to require explicit acceptance of TOS/data protection policies (vs. just not unchecking an opt-in box) before we allow an EEA user to sign a campaign or take other action on the site. As part of this compliance, the disclaimer/opt-in language that you use on your ControlShift platform will need to be specific in terms of how the data will be processed, that it will be sent outside of the EEA, etc. We can work with you to provide the information you’ll need when crafting this language. We plan to partner with customers to make sure that we evolve the product features to allow customers to meet these new informed affirmative consent requirements.
For technical changes, our current roadmap includes:
The GDPR requires that users be able to request copies of their personal data. (See: Articles 15 and 20 of the GDPR.) To meet that requirement, we’ll build new features provide access to per-user data exports that include all of the information we have about the user and the actions that they’ve taken on the platform.
The GDPR makes clear that it should be “as easy to withdraw as to give consent.” (See: Article 7 of the GDPR.) (For the right to erasure see Article 17 of the GDPR.) We already provide the ability for admins to delete a user's information/activity from the platform. We'll also require that EEA organizations appoint someone to take over orphaned assets (a setting which is required for users who've created petitions/events to be able to delete their accounts without needing admin account intervention).
We also have some still-open questions.
The GDPR states that consent should be given “for one or more specific purposes.” (See: Article 6 and Recital 39 of the GDPR.) The Article 29 Working Party has released additional guidance stating that consent should be clearly time-boxed, and the applicable time period should be communicated to the data subject when their consent is given. We're not yet clear on how specific this time period needs to be, which is especially problematic for campaigns that can be long running. It seems like 'until the heat death of the universe' will not be an acceptable time period, but we're looking into the best way to balance the GDPR's concerns and the nature of online campaigning. We’d love to hear from customers about how they are interpreting the data retention time period changes, and what product changes are needed to support those plans for compliance.
When reviewing the GDPR, we’d suggest that you pay close attention to Recital 171, which seems particularly problematic for our platform and the other systems you may be using to collect user information. Recital 171 states: "Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”
With our current understanding, that means that once the GDPR comes into effect, processing of personal data can only continue if the initial means of consent was compliant with the GDPR. So data collected without an explicit, specific, informed, and affirmative consent – e.g. a disclaimer below the sign button, or a pre-checked opt-in box – cannot continue to be processed. How we deal with that existing data is something that we are currently working on an action plan for and would appreciate customer guidance on how you’re planning to approach this issue across your systems. Additionally, while it would be in the best interest of organizations to begin collecting specific, informed, and explicit consent as soon as possible, we don’t currently have a way of representing GDPR-compliant consent vs. Directive-compliant consent in our database or synchronizing those gradations of consent to other CRM systems.
Assuming our understanding is correct, and you need to get informed consent from every member who has taken action to continue storing their data, this may cause havoc for your organization’s ability to organize. It also runs counter to some fundamental assumptions the platform has made around our ability to keep signature data indefinitely to power things like the ability for petition starters to mail their signers or login to an account.
We also do not currently have a plan in place to allow you to mark which members have opted in to data processing via your other tools, but it seems like we'll need to work together to develop one before May 2018.
These are the actions we’re currently planning to take, but again we’d recommend seeking a legal review to ensure that you have a plan for compliance with the GDPR across all of your operations. We’re also almost a year away from the compliance deadline, so the situation is a bit fluid. It seems likely that the Working Party will release additional guidance before the GDPR goes into effect, and that might change or add to our roadmap for next steps. We’ll keep you in the loop as the work progresses and if our thinking changes.
We’d also reiterate that the changes to consent and data processing rules affect any systems that touch EEA data, not just EEA data that’s processed in the US. So while we’re thinking about how to get you compliant while using ControlShift, you should also be reviewing your other data storage and processing systems, as well as your in-house data processes.
If you have any questions, please let us know. Also, if you’ve already begun thinking about compliance under GDPR, we’d be interested in hearing how you’re approaching compliance generally and with your other systems. We’d like this to be the beginning of a conversation about how to achieve compliance together.
*EU vs. EEA data: Currently, the GDPR has only been adopted by the EU. However, like the Directive, the GDPR will likely be incorporated into the EEA agreement and will then apply to personal data from all EEA countries.
**Model contracts cont’d: We are aware of, and are keeping an eye on, 'Schrems II' which challenged the legality of the current model contracts as a basis for sending data out of the EU. The Irish DPC argued the case in Irish High Court in February, but the court reserved judgment in March and has not yet released a decision. If the model contracts are invalidated, we may need to move to a code of conduct or certification approval, depending on what's available.