Nudge.ai GDPR Whitepaper
What you need to know about GDPR, what Nudge.ai is doing, and how we can help you in your compliance efforts.
Note: this guide is for informational purposes only, and should not be relied upon as legal advice. You will need to work with your own counsel to determine how the GDPR will affect your organization and what steps you should take in complying.
- What is the GDPR?
- Who is affected by the GDPR?
- What data is affected?
- What is “processing” data?
- How is the GDPR different from the Directive?
- Can data cross borders?
- What are the penalties for non-compliance?
- What are “data controllers” and “data processors”?
- Is Nudge certified as compliant with the GDPR?
- How can Nudge assist in your GDPR compliance efforts?
- The GDPR, Challenges and Opportunities
What is the GDPR?
The GDPR (General Data Protection Regulation) is a European privacy law approved by the European Commission in 2016 and enforceable on May 25, 2018. The GDPR replaces, and expands significantly on, the prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995. It is an attempt to strengthen, and modernize EU data protection laws and harmonize them across EU countries. It is designed with the European understanding of privacy as a fundamental human right.
There is no “grace period” after May 25, 2018, so it is important for organizations to understand their obligations.
Who is affected by the GDPR?
You will want to consult your own counsel to determine your obligations with respect to the GDPR, but the simple answer is that its scope is extremely broad. If your business has a corporate presence in the EU or is involved in obtaining, using, storing, or processing the personal data of any EU citizens, then it is very likely that the GDPR will affect you.
This concept of “extraterritoriality” – the effect on businesses that would not otherwise consider themselves “EU businesses” means that the GDPR will have repercussions throughout the entire world.
What data is affected?
The GDPR defines personal data as any information relating to an identified or identifiable individual. This means any information that could be used, on its own or in conjunction with other data, to identify an individual.
The GDPR defines a special category of sensitive personal data, which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Sensitive personal data is subject to significantly stronger rules and restrictions. Sensitive personal data should not be stored in Nudge.
What is “processing” data?
The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” If you are collecting, managing, using or storing any personal data of EU citizens, this definition will likely capture those actions under the definition of processing within the meaning prescribed by the GDPR.
How is the GDPR different from the Directive?
While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Some of the most notable include:
- Scope: The GDPR applies to all organizations established in the EU or processing data of EU citizens, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the EU borders.
- Data: Definitions of personal and sensitive data have been expanded
- Individual Rights: EU citizens are given several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens.
- Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
- Right to object: An individual may prohibit certain data uses.
- Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Right of access: Individuals have the right to know what data about them is being processed and how.
- Right of portability: Individuals may request that personal data held by one organization be transported to another.
- Consent: Stricter requirements for consent form one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s new requirements. Specifically:
- Consent must be specific to distinct purposes.
- Inaction or pre-selected checkboxes boxes do not constitute consent
- Processing: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller
- Limitation of purpose to the specific processing activity
- Minimization of data required
- Retention period limitation
- Legal basis for processing the data (contract performance, consent, or the processing being in the organization’s “legitimate interest”
Can data cross borders?
The GDPR permits personal data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer. Similar to the framework set forth in the Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs) or Privacy Shield framework agreements (commonly seen for US based data processors).
Nudge houses its production data systems in a Canadian data center, which is a country that is accepted by the European Commission as having an adequate level of personal data protection.
What are the penalties for non-compliance?
The GDPR specifies enormous financial penalties. Penalties for non-compliance can be as high as EUR 20,000,000 or 4% of global revenue, whichever is higher.
What are “data controllers” and “data processors”?
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
A processor is the organization that processes the data on behalf of the controller. The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party. Controllers will retain primary responsibility for data protection. The GDPR does, however, also place many direct responsibilities on the processor.
The Nudge production application and related services acts as a data processor within this environment. Customers of Nudge are the data controllers.
Our customers, for example, decide what data to upload, sync, or transfer into their Nudge account, and direct Nudge, through the application, to perform certain processing actions on that data. You must lawfully obtain and process any personal data that you wish Nudge to assist in processing.
You should review the privacy statement and practices applicable to your organization and ensure that they provide proper notice and consent that the personal data you collect will be processed in the ways that you plan to process it. For example, you may want to consider updating your privacy statement to include language that specifically identifies Nudge as one of your processors and delineates the applicable processing activities performed by Nudge.
The data processing activities performed by Nudge on your behalf that you may want to specify include such activities as; storing contact information for ease of recall, measuring relationship strength, collecting into lists for purposes of strategy, focus, or analytics, and monitoring of news and social sources for relevant insights and mentions.
Nudge also maintains relationships with sub-processors (who, as described in our Data Processing Agreement, perform some critical services, such as sending emails and appending additional data that is relevant to building sales relationships).
Is Nudge certified as compliant with the GDPR?
At the present time, there is no such thing as a “certification” that the GDPR acknowledges or provides. However, Nudge is committed to the strong data privacy and security principles that the GDPR emphasizes, many of which Nudge instituted before the GDPR was enacted.
Nudge’s GDPR preparation started well in advance of the May 25th, 2018 deadline, and as part of that overall process we are reviewing (and updating where necessary) all of our internal processes, procedures, data systems, and documentation to ensure that we are ready when the GDPR goes into effect.
While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users. Some of those visible initiatives include:
- Updating our Data Processing Agreement to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to Nudge and permit Nudge to continue to lawfully receive and process that data
- Updating our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data
- Analyzing all of our current features and processes to determine whether any improvements or additions can be made to make them more efficient for those users subject to the GDPR
- Evaluating potential new GDPR-friendly features to add to our application.
Nudge maintains, and plans to continue maintaining, our production data centers in Canada, which allows the lawful transfer of EU personal data to Canada based on Canada’s acceptance as having adequate data protection laws.
Nudge is prepared to help our users, and the people they serve, establish more control over their data privacy by addressing each of the specific expanded individual rights under the GDPR:
- Right to be forgotten: Nudge users may delete their Nudge account at any time. Should they choose to, we will permanently delete their account and their data that is associated with it. Individuals who wish to ensure that data on them is removed from Nudge directly may make that request here by contacting us firstname.lastname@example.org.
- Right to object: Nudge users control which data processing actions Nudge performs on their behalf through the application. Individuals who wish to object to any processing of any data on them that Nudge users may hold, may make that request here by contacting us email@example.com.
- Right of portability: Nudge customers may export the lists that they have created within Nudge at any time.
How can Nudge assist in your GDPR compliance efforts?
As a data processor, Nudge can help contribute to your GDPR compliance efforts.
Nudge helps you provide a seamless process for providing EU citizens with complete control over their private data and promptly respond to requests from EU citizens pursuant to their expanded individual rights under the GDPR:
- Right to be forgotten: You may delete any data that Nudge is processing for you on specific individuals upon their request at any time by contacting us firstname.lastname@example.org.
- Right to object: To remove individual contacts from being processed by Nudge on your behalf, simply delete the data that Nudge is processing on your behalf by going here by contacting us email@example.com.
- Right to rectification: You may flag data on any contact as being incorrect and include the corrected information. Flagged data will be processed by Nudge and updated to corrected values.
- Right of portability: Nudge customers may export the data they hold in lists at any time within the Nudge application using the export feature.
The GDPR, Challenges and Opportunities
The GDPR becomes enforceable on May 25, 2018. It sets a high bar for global privacy rights and compliance. However, the long term benefits in terms of trust and relationship quality will last over the long term with substantial benefit to organizations who respect their constituents’ data and treat it with care.
Nudge is ready to assist in this effort. The details contained in this document should answer many of the questions around how and what can be done. If there are further questions, areas that this document does not address, or points where clarification is needed, please do not hesitate to reach us at firstname.lastname@example.org.