Matrix Group International

Month: April 2018

  • What Do I Need to Do to Become GDPR Compliant?

    What Do I Need to Do to Become GDPR Compliant?

    Guest post by Tanya Kennedy Luminati, MatrixMaxx Product Manager

    What are the next steps once you know what GDPR is?

    Officially start your security/compliance/privacy efforts

    This is your first step: Read about GDPR on the Matrix Group blog, and start to learn more.

    Track any efforts 

    Team meetings, staff meetings, webinars, research, actions. It is widely recognized that not everyone will be ready for the May 2018 enforcement deadline, so it is critical to show a good faith effort in starting your analysis process. Documentation of your efforts is critical to proving this.

    Learn more!

    Many groups and vendors are offering free webinars on GDPR. Sign up and attend one; the more you know the better informed you’ll be.

    A variety of organizations are hosting forums on this topic. For example, if you are an ASAE member, you have access to their GDPR collaborate forum.

    Figure out your organization’s role

    There is a shared responsibility for this between the Controller and the Processor.

    • A Controller is the person or organization that actually determines the purpose and means of processing personal data that they hold.
    • A Processor is the person or organization that processes data on behalf of the controller. (Matrix Group is a processor, along with countless other 3rd party vendors/providers that are providing services and systems like hosting, CRM, AMS, CMS, email marketing, marketing automation, etc.)

    Matrix Group, as a web services and software provider, is a Processor of data. Matrix Group’s clients are Controllers of their data. (e.g., The Association of Widget Makers, The Society of Professional People, ACME company, etc. are all Controllers.)

    In other words, we here at Matrix Group must provide tools to support the processes and procedures of GDPR, but Controllers have ultimate responsibility to determine how GDPR will impact them, and then use the tools vendors/processors (like Matrix Group) provide to put processes into place to comply with GDPR.

    For example, if a user requests access to all of their data …

    • The Controller is responsible for training staff to recognize this request for what it is and to gather necessary data from all systems (AMS, CRM, CMS, marketing automation system, email marketing system, etc.)
    • Matrix Group, as a Processor, is responsible for providing tools to help with this. (e.g., Our MatrixMaxx AMS has an Individual Participation Report that aggregates most of the data that we hold on the individual, and we’ll be upgrading it soon to include even more, such as the recent login and page request history)

    Do a gap assessment: Where are you and where do you need to be?

    The key questions to ask all revolve around your data:

    • Where are we getting data from?
    • What data are we storing and where is it being stored/
    • How are we using, handling, and securing the data while we have it?
    • Where are we sending data to?

    And once you’ve analyzed your flow of data, it is time to analyze what you need to do in order to comply with these new regulations. You may need:

    • Management resources, to help establish and enforce new policies for data collecting and handling
    • Technical solutions and tools to deal with the new rules
    • Legal advice to help rewrite your privacy policy or deal with the more complex aspects of the regulations

    Reach out to your vendors and partners

    At this point, any software/system partner should be thinking about their response to new privacy and security regulations like GDPR.

    Here at Matrix Group:

    • We have obtained our SOC2 certification in security. SOC 2 is an auditing procedure that ensures we securely manage data to protect the interests of our organization and the privacy of our clients.
    • Our compliance committee meets monthly and has been discussing GDPR for many months
    • Our IT team meets weekly and GDPR has been on the agenda for months
    • The MatrixMaxx AMS team has been working on multiple upgrades to ultimately allow clients to better comply with the GDPR regulationts:
      • We already have in place several reports that would allow the association to quickly/easily share information with anyone who requests a report of their data. (Individual Participation Report, Login Report, Page Request History report)
      • We are in the planning/development stage of an Anonymization function, which will allow the association to anonymize anyone who wishes to be forgotten, without losing the core transaction history in the record
      • We are researching and planning the best way to offer Consent functionality that complies with the double-verification requirement
      • We are monitoring and discussing with our 3rd party partners, like forums and email and marketing automation

    Is there a checklist for GDPR ‘compliance’? Can we all get certified as compliant?

    The concept of GDPR compliance certification has been established in the regulations, but it has not yet been fleshed out to the point of actually going into practice. So at this point, as of March 2018, if someone tells you they are certified compliant with GDPR, that is false.  

    Looking ahead

    We are moving into a permissions-driven economy. The days are vanishing when you can get a hold of someone’s email address and then send them endless amounts of email. You are going to need to politely and persuasively ask them for their data and explain how you are going to use it. You are going to need to be thoughtful about it. And you’re going to need to respect their desire for privacy while also wanting to utilize of your services.

    As marketers of services, this can initially seem frustrating. But turn it around and think about yourself as a consumer. Haven’t you griped about the amount of email you get? Haven’t you wished your name would stop being shared with companies you don’t care about?  These regulations are coming in effect to force a worldwide respect of individual privacy and to make the cyber-world better for all us as individuals. In time, we may even view this focus on privacy and security as an implicit expectation, in the same way organizations are now expected to be think about sustainability as a key operations value. All of this is a good thing.

     

    PLEASE NOTE:

    This is one of Matrix Group’s installments on GDPR, Privacy, and Security. We at Matrix Group are not lawyers or GDPR consults; do not take this info as absolute. Use this information as a starting point in:

    • Gathering the documentation, processes and tools you need to assess and support your obligations under GDPR
    • Planning for a future where respect privacy and security are implicitly baked into our all our processes and systems, regardless of country

     

     

  • What is GDPR and What Does it Mean for My Organization?

    What is GDPR and What Does it Mean for My Organization?

    Guest post by Tanya Kennedy Luminati, MatrixMaxx Product Manager

    There is a new acronym taking the world by storm right now: GDPR

    If you’re in Europe, you’ve probably heard of this. If you’re here in the United States, you may not have heard it … yet. But the concepts of Privacy and Security that it champions are moving to center stage all over the globe, so it is important we all pay attention and start our process shift now.

    What is GDPR?

    The nations of the European Union (EU) take privacy very seriously, and each country previously had its own laws. The General Data Protection Regulation (GDPR) was approved by the EU Parliament in 2016 in order to unify the various data privacy laws across Europe.  The EU has a dedicated website where you can read the full GDPR details, and it is quite a long read.

    Who does GDPR apply to?

    If you hold and process any Personally identifiable information (PII) in any of your systems for anyone living in the EU, this impacts you.

    PII is any data that can be used on its own or with other information to identify a particular individual: name, phone, email, address, etc. Processing is just about anything you do with that data. Any type of marketing, for example, is considered to be processing. The GDPR states that you can’t process PII data unless you have lawful grounds to do so. The GDPR affects your systems, your processes, your data, your customers/members, your 3rd party vendors, and your partners.

    Doesn’t GDPR only apply to European-based Companies?

    No. It applies to any organization offering goods/services to EU residents. The EU refers to this concept as Increased Territorial Scope (extraterritorial applicability).

    When do these new regulations go into effect?

    GDPR actually started 2 years ago. However, enforcement doesn’t begin until May 25, 2018. So as the humans we are, everyone has waited until the last minute to grasp these new regulations with both hands.

    What are the key facets of GDPR?

    You must have grounds for the lawful holding and processing of data. These include:

    • Consent
    • Fulfilment of a contract
    • Legal obligation
    • Necessary for interests of the individual or for the greater public good

    Consent is getting a great deal of attention as marketing now requires explicit “provable consent” in order to be considered lawful under the GDPR. For example, if you haven’t explicitly asked an EU resident in your database if they’d like to hear about some of your upcoming events, you probably can’t lawfully market to this person!

    Other important facets beyond the concept of lawful processing and consent include:

    • An individual may request access to all of their personal data. This may include any information stored in your main database, including contact information, login tracking, clickthrough tracking in a 3rd party marketing system, transaction data, etc.
    • An individual may request that their personal info be removed. (a.k.a. The Right to be Forgotten), meaning that they can request that their records be deleted or anonymized in such a way that it is no longer personally identifiable. (This includes data in backups and in any 3rd parties systems that may have acquired the data from you.)
    • Data Breach Notification to certain authorities and individuals within particular timeframes.

    Are Membership Organizations (Trade Associations, Professional Societies), Not-for-Profits, and Non-Profits exempt from GDRP?

    No. They are not exempt.

    But … Wouldn’t someone joining my association as a member be implicitly giving me lawful grounds to process their data?

    Not necessarily. If they join as a member, it would probably be lawful processing to send them a confirmation of their membership, but you can’t start marketing association products and services to them without consent. This is an area where a GPPR consultant could be useful to you, if you have a lot of EU residents in your data or you actively market/appeal to persons living in the EU.

    How is GDPR going to be enforced?

    The penalties and fines, which will kick in starting May 25, 2018, are steep. There are obvious ways that EU-based organizations and foreign organizations with EU locations can be penalized. The question of how external organizations will be held to GDPR compliance is being discussed in a variety of articles and posts.

    Next up, we’ll discuss how to become GDPR compliant. Stay tuned!

     

    This is the first of severalMatrix installments on GDPR, Privacy, and Security. Please note: we at Matrix are not lawyers or GDPR consults; do not take this info as absolute. Use this information as a starting point in:

    • Gathering the documentation, processes and tools you need to assess and support your obligations under GDPR
    • Planning for a future where respect privacy and security are implicitly baked into our all our processes and systems, regardless of country