New Rules for Handling Personal Data
Rocketseed and GDPR (”General Data Protection Regulation”) in the EU
1st March 2018
In 2016, GDPR was passed at EU level. The new Regulation applies from 25 May 2018. From this date, GDPR applies directly and immediately to all EU member states and harmonises data protection legislation across all EU member states. However, despite being a Regulation there are some domestic derogations where member states have discretion to legislate in particular areas so there is no complete harmonisation. Regardless of Brexit, GDPR is here to stay. The text of the new Data Protection Bill has been published which, when it becomes law, will replace the Data Protection Act 1998 (“DPA”) and implement GDPR standards. This is necessary to prepare the UK for when it exits the EU. Prior to Brexit, data protection in the UK will be governed by the GDPR and the new Data Protection Act.
The purpose of the new Regulation is to strengthen and harmonise the rights of EU citizens in light of technological advancements and the unprecedented scale of global data flows, as well as to protect the free exchange of personal data in the EU.
GDPR extends the Data Protection Act 1998 (“DPA”) which forms the basis of the current British legislation on data protection. Basically, GDPR imposes higher requirements on organisations responsible for ownership (Data Controllers) and processing personal data (Data Processors), whereas data subjects, whose individual personal data is handled, will benefit from extended rights.
Data is the cornerstone of one-to-one marketing, an indispensable but fragile resource so it is in the interests of all to treat access to personal data as a privilege, not a right. Maintaining the highest possible standards of data practice is about much more than mere compliance, it is about delivering one-to-one marketing that is a true exchange of value between Rocketseed, looking to prosper, and the customer, looking to benefit.
Rocketseed has procedures, documentation and controls to comply with the more onerous requirements of GDPR. We will provide complete support to our customers on all matters relating to GDPR as increased process and compliance documentation is required in contractual arrangements falling under the regulation.
Data Controller and Data Processor issues
Rocketseed, while both collecting and processing personal data, is required to ensure that all personal data will be processed in accordance with GDPR. The obligation under GDPR is on both the Data Controllers and Data Processors to ensure that the processing of personal data is legal and characterized by transparency and ensure that data is properly and securely stored. The processing of personal data must comply with the principles set out in GDPR. These require, amongst others, that processing is lawful, fair and transparent and is limited to the extent necessary for the stated purpose. This is both in terms of the nature of the stored personal data and the storage time.
Rocketseed as a distributor of its email branding, signature and disclaimer software to its customers, as provider of bulk mail software to its customers and a user of personal data for its own internal marketing purposes, has separate roles as both Data Processor and Data Controller.
|Rocketseed Activities||GDPR Role Definition||Source of Data Processing||Customer GDPR role|
|Rocketseed||Data Processor||Rocketseed EU sub - contracted ISP||Data Controller|
|RocketMailer||Data Processor||Rocketseed USA subcontracted ISP||Data Controller|
|Internal Marketing||Data Controller||Rocketseed internal procedures and controls||n/a|
In order for any processing to be lawful the processing activity must satisfy one of the 6 lawful bases set out in GDPR. These bases include consent (opt in) and where the processing is necessary for contractual performance.
GDPR relates to the processing of information from which a living person can be identified or is identifiable. The term “personal data“ is very broadly defined and can relate to everything from name, gender, address and phone number to income, illnesses, employment and education.
Personal data in an email signature in an individual email is very rarely, if ever, sensitive data. Such signature data, which is easy to obtain, (received email, business cards, corporate directories, web sites, etc.) from publicly available data, and there is nothing sensitive, even in an email, address or mobile phone number. It does however, constitute personal data even if it
is a business email address.
Access to personal data
Under GDPR, data subjects have enhanced rights. They have the right to access their personal data that is held by a Data Controller. Also, data subjects have the right to information about the processing of their personal data. They have the right to know for what purpose the information is processed, for how long the information is stored and the identity of the
recipient of the registered person’s data etc.
The right of access of data subjects is limited partly by the right of the Data Controller to require the data subject to specify the information or processing activities to which data access is required. Whilst Data Controllers can no longer charge a fee for the right of access they can charge for any manifestly onerous or excessive requests or for requests for further copies.
Where consent is the lawful basis for processing, the data subject has the right to retract consent to processing of personal data (opt -out) at any given time. If consent is retracted, the Data Controller must cease processing of the relevant personal data for the purpose for which consent was obtained. The Data Controller can however, continue to process the personal
data for other purposes which rely on another lawful basis.
As a Data Processor, Rocketseed, as the provider of the email software only, will refer any request for the right of access to personal data being processed to its customer, as the Data Controller.
Implementation of the GDPR
Apart from the extended rights granted to data subjects and the obligations involved for those processing data, GDPR introduces other new and significant provisions. These have extensive consequences for the relation between Data
Controllers and Data Processors.
A Data Processor is a legal entity processing personal data on behalf of a Data Controller.
At the moment the DPA only places obligations on Data Controllers. GDPR introduces direct obligations on Data Processors as well as Data Controllers. GDPR also introduces an accountability principle requiring Data Controllers to not only comply with the requirements but to demonstrate compliance. Data Controllers are required to carry out due diligence on their Data Processors and both parties are required to enter into a written agreement (Data Processing Agreement). detailing roles and responsibilities between the parties.
Although Rocketseed has had established processes and procedures for personal data protection, like other businesses, it is taking a full audit of all its legal, technical and internal processes to make sure existing practices comply fully with GDPR. With specialist legal advice, we are updating our agreements including our licence agreements, data processing agreements and employment contracts to meet the required implementation date of 25 May 2018.
Data Processing Agreements, between both Rocketseed and its licenced customers and between Rocketseed and its processing suppliers, will become key links in the processing of protection of personal data.
Rocketseed will offer, as a Data Processor, a Data Processing Agreement with our customers. GDPR stipulates significant requirements for the implementation of security measures related to the storage of personal data by the Data Processor. As Rocketseed sub-contracts the management of separate servers running the Rocketseed and RocketMailer software, it will be ensuring that its sub – processors provide security for personal data from external attack and accidental destruction, by establishing digital and physical measures to protect the integrity of the stored customer personal data. Rocketseed is
also reviewing existing technical processes relating to encryption and pseudonymisation of data files, physical locking and fireproofing of server facilities and ensuring proper policies for transfer of data.
Rocketseed, in the role of Data Processor, continues to work proactively to secure the continuing best protection of our customer personal data so that you can be sure that your data is safe with us.
Customer personal data is completely safe with Rocketseed.