GDPR COMPLIANCE AT THE MOUNTAIN
The Mountain is taking the EU General Data Protection Regulations (GDPR) very seriously and have created several tools, forms and processes to stay compliant.
WHAT THE MOUNTAIN HAS BEEN DOING TO PREPARE
To better facilitate compliance, we have been implementing both product and non-product-related updates before the GDPR commences. Not only will these updates ensure our compliance, but they will also make it easier for us to comply with GDPR rules. Below is the list of relevant updates we will be making:
- (In progress) Improve contact deletion capabilities to comply with right to be forgotten requests.
- (Complete) Improve site tracking so it can complement your website’s compliance needs.
- (Complete) Address Cookie Compliance
- (Complete) Added ability to show consent checkboxes only for EU visitors as an option
- (Complete) Added EU to the list of Countries in our advanced targeting
We have add a checkbox option in email signup forms. This can be used for general terms of services or for more explicit consent regarding our visitors opting into our campaigns and promotions.
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR), which will be enforceable on May 25th, 2018, is a regulation from the European Parliament, the Council of the European Union and the European Commission that attempts to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. When the GDPR takes effect, it will replace the data protection directive of 1995.
This page will address how The Mountain is compliant with the GDPR. Please note that this page is for informational purposes only, and should not be used for legal advice. We at The Mountain encourage you to work with legal counsel to determine precisely how the GDPR might impact your business. The GDPR website also has good FAQs, which covers who it affects, changes, penalties, and more.
The Mountain already takes great measures to protect your data (link to data protection). The GDPR adds some new privacy protections for individuals within the EU:
- Expansion of scope: The GDPR applies to all organizations established in the EU or processing data of EU citizens
- Expansion of definitions of personal and sensitive data: any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual.
- Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including:
- Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
- Right to object: An individual may prohibit certain data uses.
- Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Right of access: Individuals have the right to know what data about them is being processed and how.
- Right of portability: Individuals may request that personal data held by one organization be transported to another.
- Stricter consent requirements: You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. Keep in mind that:
- Consent must be specific to distinct purposes.
- Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
- Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
- Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
- Contact details for the data controller
- Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”
HOW DOES THE MOUNTAIN HELP YOU COMPLY WITH THE GDPR?
The below will cover both explicit ways that The Mountain complies.
- By default, The Mountain is handling email opt-ins in a GDPR compliant manner. When it comes to email submissions and GDPR, The Mountain now collects the opt-in time stamp and campaign of each of your contacts who registers through one of our forms. We also make it quick and easy for you to access your data in your account, and if requested, delete it with the click of a button.
- GDPR is centered around storing, using, transmitting and deleting personal information of EU citizens.
- The regulation requires that EU citizens take an action to consent to the use of their information.
- If a customer asks we will need to be able to share with them the personal information you have stored, and be ready to delete that information in a timely manner.
- GDPR user rights
- Right to be forgotten: You request to have your data deleted at any time.
- Right to object: You may opt out of inclusion in marketing and external communications
- Right to rectification: You may update your subscribers within your account to correct or complete subscriber/contact information upon their request at any time.
- Right of access: You may access your subscribers’ data within your account upon their request at any time.
- Right of portability: You may export any of your lists of subscribers in CSV format at any time
- Email capture forms – consent forms added to EU subscribe fields;
- Unsubscribe – Manage your data – https://themountain.com/manage-your-data-gdrp;
Updated: May 20, 2018