GDPR is here. Ensure your company has a sound strategy around personal data collection!
ConnectWise has self-certified to the EU- US Privacy Shield and has used Privacy Shield as the basis to transfer EU personal data to the US in compliance with the EU data protection requirements in the GDPR. On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring the EU-U.S. Privacy Shield Framework is no longer a valid mechanism for such transfers. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. The U.S. Department of Commerce will continue to administer the Privacy Shield program and ConnectWise will continue to participate in the EU-U.S. Privacy Shield.
The GDPR provides for other valid legal mechanisms (including EU Standard Contractual Clauses) for ConnectWise to transfers of personal data from the European Economic Area to the US in relation to ConnectWise's services. ConnectWise has updated our Data Processing Addendum to implement the Standard Contractual Clauses in place of Privacy Shield.
Even though Privacy Shield is no longer a lawful basis for transfer, ConnectWise will continue to participate in and maintain its certification under Privacy Shield. This means that ConnectWise will continue to fulfill its Privacy Shield obligations. This includes that ConnectWise will continue to adhere to the Privacy Shield principals in respect of the data that ConnectWise collected under Privacy Shield. ConnectWise will also continue to offer the Privacy Shield arbitration and redress mechanisms.
GDPR refers to the European Union General Data Protection Regulation. It’s arguably one of the most notable privacy and data protection regimes, particularly because of its far-reaching application. GDPR is intended to streamline and harmonize several different privacy laws that existed across individual European Union Member States. GDPR is designed to empower individual data subjects, giving them more control over their own privacy and the usage of their personal data.
"Personal data is any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
Why should partners care?
This new regulation strengthens previous data protection efforts in the EU, providing additional enforcement powers for protecting data subjects’ personal information. The GDPR spells out the right of data subjects, including:
In addition, GDPR also imposes mandatory breach notification obligations whenever a company experiences a data breach that is likely to “result in a risk for the rights and freedoms of individuals”. There are incentives for regulators across Europe to enforce these personal data rights; companies found to be in non-compliance with certain GDPR requirements can be fined up to 4% of their total worldwide annual revenue or €20 Million (whichever is greater).
How far does GDPR reach?
As mentioned, one of the most notable changes from the existing EU framework is GDPR’s far-reaching application. Per the EUGDPR.org website, the rules apply to both controllers and processors meaning 'clouds' will not be exempt from GDPR enforcement. So even if your organization does not have a physical presence in the EU, you may be subject to GDPR.
What should you do?
If you’re not GDPR compliant, now is the time to do so. Partners may consider conducting a GDPR assessment and obtaining legal counsel for their business to advise on GDPR obligations. As part of the process, partners may consider reviewing their data collection policies and processes and taking steps to understand what personal data the company collects and where it’s stored. Can you provide a well-defined purpose for collecting each piece of data from your customers, if asked? Do you have clear mechanisms to obtain consent where required? Be prepared!
Helpful links to learn more
Please be advised that ConnectWise is not your attorney, and this information is not legal advice. This information does not provide, does not constitute, and should not be construed as, legal advice. It is for educational purposes only and is not to be acted or relied upon as legal advice. Use of this information does not create any attorney-client relationship between you and ConnectWise. The information does not constitute legal advice and is not a substitute for competent legal advice from a licensed attorney representing you in your jurisdiction. Partners should seek advice from their legal counsel to determine your legal obligations.