EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect from May 2018.

At TokBox, we’ve been working hard to prepare for GDPR, to ensure that we fulfil its obligations and maintain our transparency about customer messaging and how we use data.

Here’s an overview of GDPR, and how we are preparing for it at TokBox.

Overview

What is GDPR?

The GDPR is a comprehensive European data protection law that provides significant data rights for protecting the privacy of natural persons residing in the EU. TokBox is committed to ensuring that our platform is GDPR-compliant when the regulation becomes enforceable on May 25, 2018.

How is GDPR applicable to TokBox?

TokBox has employees and customers all over the world. We respect everyone’s personal information regardless of where they live, and it makes perfect sense for us to have one privacy policy and set of procedures to protect everyone’s interests, including compliance with applicable local laws.

What personal information does TokBox process on behalf of its customers?

  1. We collect and maintain personal contact details which includes contact name, job title, email address, telephone number, and company name. If the customer is an individual sole proprietor or unaffiliated with any commercial or non-profit entity, it’s possible that additional information such as street address and credit cardholder data is included.
  2. All customer data, that is, data controlled by our customers which we process according to their instructions, is appropriately classified as Confidential. This confidential data could contain personally-identifiable information about our Customers’ End Users, which we cannot identify because it is encrypted and not accessible by TokBox staff.

What are Data Controllers and Data Processors?

 GDPR is designed to ensure protection of the privacy rights of data subjects. Data subjects are people from whom or about whom you collect information in connection with your business and its operations. Your obligations with regard to data subjects and their personal data depend on whether you’re considered a controller or a processor under GDPR.

  • Data Controllers

GDPR defines a data controller as “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In other words, if your organization processes personal data for your own organization’s purposes and needs—not merely as a service provider acting on behalf of another organization—then you are likely to be a data controller.

TokBox is a Data Controller for our direct customers.

  • Data Processor

Businesses or organizations that process personal data solely on behalf of, and as directed by, data controllers are data processors. In other words, when a data controller outsources a data processing function to another entity, that other entity is generally a data processor.

For purposes of the GDPR, TokBox is also considered a Data Processor for our customers’ end-users.

What steps is TokBox taking to ensure GDPR compliance?

  1. We conducted an internal Data Protection Impact Assessment (DPIA) to discover what information we collect, and how it's being used.
  2. We will publish a Shared Responsibility Model so our customers know what their responsibility is for protecting the privacy of personal information, and informing them of what TokBox is responsible for. This is to reduce confusion and duplication of effort.
  3. We will provide customers with resources and helpful information about privacy and GDPR, including whitepapers and blog posts.
  4. We will announce an update of our Privacy Policy, updated for GDPR and effective as of February 15th, 2018.

Our Customers and the GDPR

As a TokBox customer, what are my main responsibilities under the GDPR?

TokBox customers are responsible for protecting the personal information of their end users, as Data Controllers and/or Data Exporters.

Your responsibilities under GDPR will depend on the nature of your business and your personal data processing activities.  Nonetheless, broadly speaking, GDPR requires that personal data be:

  1. Processed lawfully, fairly and in a transparent manner,
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes,
  3. Adequate, relevant, and limited to what is necessary for achieving those purposes,
  4. Accurate and kept up to date
  5. Stored no longer than necessary to achieve the purposes for which it was collected, and
  6. Properly secured against accidental loss, destruction or damage.

It is our customer’s responsibility to obtain the EXPRESS CONSENT of individual Data Subjects (for example, your family members, co-workers, or customers) to transfer their Personal Data to TokBox as a Data Processor and/or Data Importer. TokBox processes all such information as Confidential Data in accordance with the terms of our Data Processing Agreement and/or this Privacy Policy.

What actions do I need to take before May 25th, 2018? 

  1. In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:
  2. Educate yourself on the provisions of the GDPR to understand how they may differ from your existing data protection obligations and practices.
  3. If you don’t have dedicated data privacy or security personnel in-house, consider appointing a directly responsible individual (DRI) or small team to manage your company’s GDPR compliance efforts.
  4. Create an up-to-date inventory of personal data that you collect and manage.
  5. Create a list of vendors who you send data to (analytics tools, CRMs, email tools, etc.), and understand whether they are a controller or a processor. Then, determine what their obligations are, and make sure they have a plan to be ready for the GDPR.
  6. Develop a plan for obtaining and managing consent in accordance with the GDPR or establish other lawful grounds for using personal data.
  7. Determine if your company needs to appoint a Data Protection Officer (DPO). For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory. Organizations will be expected to hire someone who has real expertise and knowledge of the latest laws and practices.
  8. Becoming GDPR compliant takes time, and will require you to rethink how you collect and manage customer data. If you have any questions about the GDPR or want to learn how TokBox can help you prepare, please let us know.

What are the penalties for non-compliance with GDPR?

Depending on the nature of the violation, data protection authorities may issue fines or penalties for non-compliance up to € 20 million or 4% of global revenue.

Where can I get more information about GDPR?

  1. From the original source: The Council of the European Union where the legislation was approved. https://publications.europa.eu/en/publication-detail/-/publication/c7d157e6-fccd-11e7-b8f5-01aa75ed71a1/language-en/format-PDF/source-62885347
  2. For more general GDPR readiness portals, we suggest: https://www.eugdpr.org/
  3. From leading Privacy advocacy organizations:
    1. https://iapp.org/resources/topics/eu-gdpr/
    2. https://www.epic.org/international/eu_general_data_protection_reg.html
    3. www.truste.com
Have more questions? Submit a request