What tools does Quriobot offer to meet the GDPR regulations?
From the 25th of May 2018, the General Data Protection Regulation (GDPR) will be enforced in Europe and as we are a Dutch company, we have to abide to this legislation. On this page you will find out how this affects your organization, what has changed and will change in the software of Quriobot, and the required changes in your business-relationship with Quriobot.
About the GDPR
Privacy is increasingly important in the current information technology era. We, as people, want to know what happens to our data and want to prevent this data from being put out on the street.
The EU enforces a new privacy law: the General Data Protection Regulation (GDPR). This law gives us the confidence that every effort will be made that our data is not being used for purposes we are not aware of. From the 25th of May 2018 onwards, this law will be enforced. This means that when you collect personal data, you must comply with the rules of the GDPR.
Most organizations have already started the preparations and we are happy to tell you where Quriobot helps you to comply with this law. Please know that if you do not comply with the rules, the fines can rise up to four percent of your annual turnover.
The GDPR and Quriobot
To understand the consequences of this law, we have divided this into three parts:
People | Organization |Technology
This concerns for example a user of the software, an employee of your organization or a contact that is stored in your CRM system. For Quriobot, the three most important pillars of the GDPR are the following:
- Transparency: companies must inform users in an understandable way about how their data is collected and processed.
- Right to be forgotten: companies must be able to delete personal data if the applicable person requests to do so and no valid counter-argument can be given.
- Reporting obligation for data leaks: companies are obliged to document and report a data breach within 72 hours, unless they can prove that the leak is not a hazard or danger for the collected personal data.
Personal data is all information with which a person can be identified, such as a name, a telephone number, an address, an e-mail address, a date of birth, an account number and more. Are you wondering whether the GDPR applies to your organization? It’s very simple: if you work with one of the data elements mentioned above, then the GDPR applies to your organization.
People have the right to correct their data or to have it removed. In addition, each person must give specific, freely determined and unambiguous consent, with full knowledge of the facts.
In other words: if (with a bot) you are collecting email addresses with the intent of emailing these people with marketing or sales information, you as a company, have to explain specifically what will happen to the collected personal data. Keep in mind that this information needs to be clear and easily understandable in your Privacy Statement and please don’t forget to always ask the users explicit permission for using and storing their personal data.
Service Level Agreement / Cooperation Agreement
From May 25th, 2018 onwards, all our customers and partners will receive a new cooperation agreement containing a processor agreement that is according to the new legislation and regulations with all rights and obligations that arise from the GDPR. Some important changes are:
- Processing agreement: according to the GDPR, there is a 'Processor’ and a 'Controller'. Quriobot is the Processor and its customers are the Controllers.
- Legislation: the reference to the Personal Data Protection Act (Wbp) will be adapted to the General Data Protection Regulation (AVG in the Netherlands).
Quriobot has a Privacy Statement for both companies (its clients) as well as the end users on the website in which we express the fact that we do not abuse your data or that of your customers.
Terms & Conditions
In addition to the Privacy Statement, the Terms and Conditions of Quriobot can be found here.
By using the Quriobot software solution, personal data will be processed which is securely stored and made available via the Control Room (our back office). Here, the collected (personal) data will be presented to you in your own account. This information can be adjusted by each client. If you have more questions about (for example) the removal of (personal) data, please feel free to contact us via email@example.com.
For the Quriobot software solution, the GDPR has impact on the following:
Right to be forgotten
The 'right to be forgotten' is a very strong right of the end user in the GDPR. In our Control Room, this (or insight into other data or adjustments of data) can easily be carried out:
- Deleting records / subscribers. It is possible to delete records directly within the Control Room, namely within the ‘Results’ section. Note that people's data could be in multiple places and deleting really means really deleting. Once deleted, that data can no longer be retrieved.
The GDPR pays a lot of attention to this and this has everything to do with being able to export personal data so that it can be reused in other situations. The current possibilities in the Quriobot software, such as reports via XLS or CSV are sufficient to comply with the legislation.
Important pillars of the GDPR
What should you do?
1. Make an overview of all data that you handle
Make an overview of all (personal) data your organization handles. It must be clear what different sets of (personal) data are used, for what purpose, where they are stored and who has access to it. Create a so-called Privacy Impact Assessment (PIA). According to the GDPR, organizations are obliged to map the risks of data handling in advance.
Tip: make sure that you map all processes about how to deal with (personal) data, for example about how it is removed from the Quriobot software. If a user sends you an email with the request to delete data, the data of that person must actually be deleted. The same applies, of course, in case someone wants to change his / her (personal) data.
2. Consider privacy by design & privacy by default
Privacy by design means that when designing (new) products and services you take the protection of privacy-sensitive information into account. Think, for example, about a new product or service you offer, with which (or for which) you collect or use personal data.
Privacy by default means that you only process the personal data that is necessary for that specific purpose. As an organization you always remain responsible who can process which data and where.
Tip: when you review your online documentation (your Privacy statement for example) regarding the processing of personal data, make sure that it is written in clear, understandable language. If people do not understand you, suspicion may arise and that will harm your brand. Be transparent!
3. Comply with the Data Leak Reporting Requirements
Unfortunately, we read about hackers that have acquired personal data more and more often. But this is also the case in the unfortunate event of losing a laptop or sending an email containing personal data to the wrong recipient. These are, besides serious entrepreneurial risks, also considered Data leaks. In all circumstances, you must inform those involved about the data breach and in case it has serious consequences to the personal data, you have to report it to the appropriate authorities. Most important of all, you must do everything to prevent this.
Tip: document the risks for your organization. Look at your procedures for documenting and reporting data leaks. In the GDPR the obligation to report data leaks is extended with the obligation to document all data leaks, which can then be reviewed by the applicable Data Protection Authority.
4. How do you request and register permission for using (personal) data?
The new legislation imposes more strict requirements on the permission that people must give for the processing of (their) data. Evaluate the way in which you ask people permission to process their (personal) data and how (securely) you register them. You must be able to demonstrate that consent has been obtained.
How can we help you?
1. Keeping accurate, safe and secure (personal) data
Quriobot will do everything it can to keep your data safe and secured. Both parties have obligations to keep operating according to the GDPR. Being able to remove, change and transport personal data (by request of the end user) plays an important part in this.
2. Possibility to block or delete (personal) data
Within the Control Room you can easily completely remove people from the Quriobot software. Note that you should be aware to not add these people again without consent in the future. This is your responsibility.
3. Double opt-in
If you will be using email addresses for any business purpose always make sure you use a double opt-in service. People who signed up should receive a confirmation email in which they have to indicate again that they want to sign up with that specific email address. This provides you with a clean database and you have taken care of the explicit consent.
If you have any questions about anything, please contact us on firstname.lastname@example.org.