Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as – name, email address or location, and also online identifiers like IP address, types of website cookies and other device identifiers.

For eg: Support tickets carrying personal data like name, location, social identity for purposes to record and solve an individual’s support requests; CRM software collecting online identifiers to learn prospect activity on from the company website/product.

A data controller is an entity/person that determines purposes and means of processing personal data of the EU resident. For eg. Plan Your Website is a data processor and Plan Your Websites’ customers are controllers of the EU resident’s data.

The GDPR applies to both data controllers and processors. Controllers collect data from the end-user that is the EU resident, for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller’s instructions. Processors also use data collected to perform benchmarking analysis, so that it can sell further services allowing controllers to compare their data to industry averages.

Another category called sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR

No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on the transfer of personal data outside the EU.

Data transfers from the EU to outside can be legitimized in many ways including:-

EU-US Privacy Shield

Model or Contractual Clauses

Binding Corporate Rules (BCR)

The GDPR helps restore consumer trust by acting as a central authority governing rules of data protection and rights across the EU. The new law allows businesses to undertake opportunities in the digital market while protecting an individual’s fundamental rights.

Businesses can capitalize on opportunities through:-

Cost savings and less complicated policy management by dealing with 1 law, not 28. This otherwise required expenses and efforts dealing with regulations for each member state locally.

Consistency in practice of data protection measures both in and outside the EU. This is because the same regulation applies to all businesses, regardless of where they are based out of.

The regulation enables innovation to flourish under the new law.

New & enhanced rights for data subjects – This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:

Explicit consent : Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.

Right to access : At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.

Right to be forgotten : The data subject can request the controller to remove their personal information from the controller’s systems.

Data portability : The controller must be able to provide data subjects with a copy of their personal data in machine-readable format. If possible, they must be able to transfer the data to another controller.

Obligations of the processors – GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller’s instructions.

Data Protection Officer – Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.

Privacy Impact Assessments (PIA) – Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.

Breach notification – Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.

Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).

All customer data held by Plan Your Website is located in a EU data centre by our backend providers GoDaddy.

Plan Your Website utilise several external agencies to handle and process all of our data and payment services.

Each company will have there own respective guidelines/legal mandates in place by May 2018. – Plan Your Website doesn’t store any customer data on our own servers, and thus any breaches fall under the onus of our respective suppliers.

Our respective backend suppliers:-

GoDaddy

Stripe

GoCardless

PayPal