The text in this article may include ControlShift's interpretation of the GDPR and/or interpretations we've heard from other organizations. This article should not be considered legal advice. Please seek independent legal counsel to ensure your compliance with the new regulations.
GDPR + ControlShift
The EU's General Data Protection Regulation (GDPR) is in effect as of 25 May 2018. If your organization processes the data of EU data subjects, whether your organization is based in the EU or not, you may be subject to the GDPR. If your organization is unsure about your responsibilities under the GDPR, ControlShift strongly recommends that you seek legal advice. This legal advice should include both your use of ControlShift and any other tools/processes that involve the processing of EU data subjects' information.
At ControlShift, we've attempted to split the main parts of the law into a few broad areas. Within these areas there are general policy questions (e.g. how does your organization plan to deal with the requirements in this area) and technical questions (e.g. what software do you need ControlShift to build to help keep you in compliance). As a data processor who acts on your organization's instructions, and given the broad range of legal interpretations we've heard, it is essential that organizations communicate with us regarding their requirements.
Please see this series of GDPR documents as a starting point. This reflects ControlShift's current functionality, and we're happy to discuss it in more detail. If your legal counsel's recommendations include features or processes that are not included in these documents, please email us.
The broad buckets that we've broken GDPR into are:
- Data Processing Consent
- Communications Consent
- Data Deletion (Right to be Forgotten)
- Data Portability
- Consent Migration
Outside of technical specifics, this section also includes a list of our current subprocessors. We'd recommend that organizations click to Follow the subprocessors article (from the top right corner, next to author information). Following an article means that you'll receive notifications if the article is updated. If we're updating any of our subprocessors, the changes will be posted in that article.
Finally, ControlShift customers who are processing information about EU data subjects may wish to sign ControlShift's GDPR Data Processing Agreement, which covers ControlShift's processing of personal data under GDPR on behalf of our customer organizations. If your organization has not already signed our DPA and wishes to do so, please send us an email that includes your organization's legal name and the name and email address of the appropriate signatory.
The GDPR has numerous requirements and hefty fines for non-compliance. The information included here is not legal advice, and we strongly recommend that all organizations using ControlShift seek legal counsel to ensure that they comply with the GDPR and all relevant laws.