Photo: EU Flag, Robert Cohen
The EU General Data Protection Regulation (GDPR) is a new law coming into place in the EU. The GDPR is intended to increase the data protection for EU citizens’ personal data, and to govern how that data can be transferred outside of the EU. One of its other main goals is to unify the law across the region, which was previously covered by a Directive that needed to be implemented individually by each EU country.
For users of Post Affiliate Pro, there are some things you need to keep in mind when collecting the data of EU citizens, now that the GDPR is coming into force soon.
What is the GDPR
The GDPR applies to all data controllers and processors dealing with the data of EU citizens, also called “data subjects”. Data controllers are people, bodies, companies, or agencies that determine what data will be collected, for what purpose, and how it will be done. Essentially, data controllers are those collecting the data for some purpose (such as building a marketing contact list).
Data subjects are those persons who can be identified, directly or indirectly, by way of information collected about them. That information may be something like their location data, an online identifier (like a forum username) or information about their physical, physiological, genetic, mental, economic, cultural or social identity.
When the personal data of data subjects is collected by a data controller, the data controller needs to deal with that data in certain ways, and notify the data subjects of certain things. We’ll cover that in further detail in the section below.
The GDPR also has other tangential requirements for organisations collecting the data of EU data subjects. For example, they must create a new Data Protection Officer (DPO) role in their organisation, and also have an EU representative in the EU if the organisation itself is not based in the EU.
The Data Protection Officer is a new member of staff that will be required to ensure that the business complies with the GDPR. DPOs are necessary if your business collects and processes data on a large scale, or collects “sensitive” information such as racial or ethnic origin, political opinions, religious or philosophical beliefs. The DPO will train the data controller and their staff, develop data protection policies for the organisation, and provide internal compliance updates so that management can make any necessary changes for GDPR compliance.
The EU representative is simply a person on the ground in the EU who can be contacted on the company’s behalf if there is an issue.
How does it affect those using Post Affiliate Pro:
Post Affiliate Pro is an affiliate marketing management tool for managing your affiliates, and as such one way in which the personal data of an EU citizen could be collected when using Post Affiliate Pro, is when you track your affiliate's referrals, commissions, record payouts, or look at relevant customer data related to those affiliates. You can see in the following image how Post Affiliate Pro works:
You also need to be careful about where you store the information you collect - for the data of EU citizens, you can only store it in certain countries. Other than all of the EU countries (which are automatically included), the countries that are currently approved are Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
The US was previously viewed as an approved country by the EU under the US-EU Safe Harbor agreement, which was recently struck down. A new agreement has been formed between the US and the EU, called the EU-US Privacy Shield. However, the Privacy Shield is still facing criticism from privacy advocates and lawyers, who say that the Privacy Shield is not sufficiently clear and does not outline in enough detail how it will protect consumers. This means that the details of the Privacy Shield may still be subject to change.
Companies are also unhappy with the new Privacy Shield, as many still feel that they are “in the dark” about their obligations given its lack of clarity. Developments in this area need to be watched carefully, to ensure that as new changes are brought in you are aware of what your obligations are if you are storing the data of EU citizens in the US.
It’s important to comply with the GDPR, as the fines for non-compliance have also increased under the new regime. Under the GDPR if your business misses crucial steps in complying with the GDPR, or maliciously doesn’t comply, you could face fines of up to 4% of your global annual turnover.