GDPR Compliance

GDPR Compliance

Disclaimer: While we hope to cover some of the legal precedents discussed under GDPR, this is by no means a full overview of all policies. If you’d like to learn more about the new GDPR regulations, you can check out the full text here. Poll-lite, in accordance with these policies, have updated their procedures and Privacy Policy to ensure compliance. Below we distinguish the role of Poll-lite as a Data Controller and a Data Processor.

What is GDPR?

General Data Protection Regulation (GDPR) is a new EU regulation that extends the protections of personal data for European Union citizens from the 1995 EU Data Protection Directive. As part of these protections, organizations have new obligations when collecting or processing personal data, which will come into effect on May 25th, 2018.

How Poll-lite Addresses the Most Important Changes of GDPR as a Data Processor

Poll-lite has provided all the necessary protections for data controllers (our customers) in handling their contacts and needs. Below we address some of the other most important changes coming from GDPR.

PollPoll-lite product team has developed new features to support our customers journey to compliance. These new features mainly concern the “Right to withdraw consent”.  Previously, once a data subject had given consent it could not be withdrawn.  Now, a data subject can contact the data controller to withdraw their consent and the data controller can use the Poll-lite platform to delete the personal data of the data subject.

It’s important to remember that for our customers, Poll-lite is the Data Processor and it is the responsibility of the Data Controller (our client) to supervise the deletions: either by deleting directly, or instruct us to do it (we reserve the right to charge for volume).

All Poll-lite third-party partners and sub-processors have also taken the same necessary steps to ensure GDPR compliance is followed.

Current platform users can refer to the documentation provided on our Support page for further details on these features.

How Poll-lite handles GDPR rules as a Data Controller

Poll-lite provides all the necessary protections for our data subjects. Below we address some of the other most important changes that came from GDPR (in effect from 25 May 2018).

Scope

While the previous EU legislation (the 1995 EU Data Protection Directive) governed entities within the EU, the territorial scope of the GDPR is far wider because it applies to non-EU businesses who either market their products to people in the EU or who monitor the behavior of people in the EU. With an internationally presence, Poll-lite has taken all the necessary precautions to ensure we protect customers and prospective customers in compliance with the policies and procedures handed down by GDPR.

Consent

Whenever a data subject submits their personal information to a data controller, they need to ensure they do so with consent and understanding. GDPR has introduced new standards for what this type of consent entails, which calls for consent that is “freely given, specific, informed and unambiguous.” This means that data controllers must give clear language, meaning previous “opt-out” via silence or automatic check marks will not be allowed and must be replaced by a “statement or a clear affirmative action.”

Right to Withdraw Consent and Data Portability

Two new GDPR rules make it easier for users to remove stored information from data controller databases or to demand a copy of their stored information from processors.

The right to withdraw consent requires data controllers to remove data subjects’ personal data. If this data is held by a data processor, then the processor must ensure the data controller can perform this action. The right to data portability allows the demand of any information stored about a data subject to be handed over in a common copy format.

Right to Access Data

GDPR enhances previous rights of data subjects (who always had the right to access data). Data controllers can no longer charge data subjects for accessing their data. Though there are some circumstances where organizations can refuse a data access request, refusal policies must be clearly spelled out and data controllers must prove if a request meets the refusal policy criteria spelled out.

Data Privacy Impact Assessment (DPIA)

The new DPIA stipulation concerns building data privacy “by design”. This means that a company must assess how any new projects, technologies or initiatives, may impact the privacy of individuals to ensure preemptive changes to avoid potential privacy issues.

Data Privacy Officer (DPO)

Poll-lite has a DPO in place to ensure all compliance efforts are made in accord with GDPR. The DPO typically deals with activities that involve processing personal data on a large scale and are helpful in overseeing how vendors’ security practices comply with GDPR or to inform third-party vendors of any data subject requests.

Data controllers must have the ability to demonstrate GDPR compliance to local supervising authorities (the central point of enforcement for DPO’s to contact). Policies must be documented, appropriate measures taken and procedures updated in accordance with the newest GDPR laws.

Updating Privacy Documentation

Data controllers must review and update their privacy statements, internal data policies, and privacy notices so that they meet GDPR standards. Poll-lite will continue to ensure all documentation meets the necessary GDPR requirements.

Reporting Breaches

Under new GDPR guidelines, data controllers must notify their country’s supervisory authority of data breaches with 72 hours of finding (unless the data is encrypted or anonymized).

If you have any additional questions regarding Poll-lite’s GDPR compliance or privacy policies, please reach out to [email protected]