As we approach the deadline for putting GDPR compliance in place, we’re getting more questions about our interpretation of the regs, what we’re doing about it, and what our clientele can do to protect against regulatory risk in the EU. If you’re with a company that has a European field, you are (or someone at your organization is) most likely already knee-deep in a systems audit to make sure you’re up to scratch. If not, time is quickly running out!
For anyone who hasn’t spent the last few months in the headache-inducing space of European privacy protections, the GDPR (or General Data Protection Regulation) is being touted as “the most important change in data privacy regulation in 20 years”. Really, the new regs don’t make too many sweeping changes to existing privacy law – but they do expand the definition of what constitutes PII (personally identifiable information) and how it should be handled. More importantly, they’re severely ramping up the fees for anyone caught violating the new regs, making non-compliance a potentially very costly oversight.
As an entity that does not directly collect any user data – but does store limited PII supplied by our clients (in the form of Distributor info) – Momentum Factor is considered a “processor” under GDPR, with our clients as “controllers”. Data security has always been a critical priority for us, so most of the protections required by GDPR were already built into FieldWatch. However, we are making a few internal system changes to ensure compliance with a GDPR “Processor” role.
GDPR regulations touch on every point of the data gathering, transference & storage process. Methods of gathering information from users, transfering that information to 3rd parties (like say, Momentum Factor for example) and storage of that information are all covered. The overall gist is that anyone sharing information on the internet should be informed about what’s being stored and why, how they can go about deleting their info and what safeguards are in place to ensure that it isn’t stolen while in the custody of a 3rd party.
As many commentators have noted, the guidelines for GDPR are maddeningly vague in some key areas (what the heck does “implement appropriate technical and organisational measures” mean, exactly??). Where we can, we’re taking safe harbor measures to ensure that we’re in line with the more conservative interpretations – but like the rest of the world, we’ll be watching to see exactly when and how these new regulations are enforced. In the meantime, please let us know if you have any questions about your program as we head into the final days before the May 25 deadline.
Stay safe out there!