It is now the reference text about personal data protection for EU citizens. Even if this regulation is European, it affects all companies treating EU individuals’ personal data, whether these companies are European or not.
Adopted by the European Parliament on April the 14th, 2016, it is effective since May 25th, 2018 and affects all data, whether they were collected before or after this day. In addition, the sanctions for non-respect of this regulation have been hardened: up to 2% of the revenue and 10 million euros (doubled if there is an obvious negligence or damage, in other words up to 4% of the revenue and 20 million euros!)
One of the most important thing of this new regulation is that you need to document your choices your choices and to let your clients know about your decisions. For more information, you can find here the detailed document of the General Data Protection Regulation.
You must understand personal data to understand GDPR To understand GDPR, you must understand what a personal data is, what can be done with it and mostly what must be done. “Personal data means any information relating to an identified or identifiable individual”, in other words any information allowing the identification of a natural person.
Some data are self-sufficient. For instance, if you possess a person’s name or their social security number, you can clearly identify them. On the other hand, if you possess data like a postal address or a phone number, these data do not allow you to clearly identify a natural person. Therefore, these data must be paired up for a person to be identify.
In both case, you possess personal data, but they do not have the same value. It is important to identify the value of the personal data you possess to know how to treat them and which process to put in place.
GDPR is composed of some 90 articles. If it can seem a bit indigestible, it is possible to find “shorter” versions explaining crucial points of this new regulation. We chose to talk about these 4 points, as they are, to us, indispensable to know and to put in place to be “GDPR Friendly”!
Every company must be able to prove it obtained the systematic explicit consent of the persons they are taking the data from. If the data use changes, the consent must be asked again. Therefore, it is essential that all your contacts lists are opt-in, for your SMS sendings to be respectful of the law.
The obligation of secured data places the responsibility on both treatment supervisor and on subcontractor. Indeed, service providers and subcontractors can be held responsible in the same way as their partner. That’s why we have contracts with our service providers and subcontractors, to guarantee the security of your data during SMS sendings.
Data cannot be kept for an indefinite period. Each must have a maximum preservation period known by all clients, once exceeded, all data must be deleted. Data must also be automatically erased if asked by a client. If a client unsubscribes from your SMS sendings, their number must automatically be deleted from all your contacts lists.
The portability of all data passing by a company must be assured, which means that, on demand, a client must be able to get all its data back properly, to transfer it from one supervisor to another without any difficulty. Therefore, if you want to change your SMS platform, you can get all your data back and transfer them easily.
As seen previously, you can also possess personal data. It can be your clients’ phone numbers, their names or even more sensible data about their health. In that case, it is important to secure those data and to you respect this new regulation. Do not forget that whatever data you possess, you must receive an explicit consent from your clients about the data and the use you are going to have.
For instance, all your contacts lists must be opt-in: your clients must have agreed to receive commercials offers or SMS notifications from you before you can send them sms campaigns.