1524037721-medium-gdpr

Helping you comply with the GDPR

You’ve probably heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). It’s a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways.

At Rentman, a broad team is finishing the process of ensuring that our own practices are GDPR-compliant. Equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.

Rentman wants to set you up for GDPR compliance. For a while, Rentman has all the options to help you comply with the GDPR. In this article, we will walk you through them and explain how you can set up Rentman in order to comply.

 

Processor vs Controller

Most of our customers store two types of information in Rentman that are affected by the GDPR; personal information about customers and details of employees. Let’s say that Sofia is a contact of yours and an EU citizen. She's called the "data subject," and your company (let's call it Acme Corp.) is called the "controller" of that data. If you're a Rentman customer, then Rentman acts as the "processor" of Sofia's data on behalf of Acme.

With the introduction of the GDPR, data subjects like Sofia are given an enhanced set of rights. Controllers and processors like Acme Corp and Rentman, respectively, are given an enhanced set of regulations to comply with.

 

The key concepts of the GDPR regulations

 

Lawful basis of processing

What it means

You need to have a legal reason to use Sofia’s data. That reason could be consent (she opted in) with notice (you told her what she was opting for), the performance of a contract (e.g. she’s your customer and you want to send her a bill), or what the GDPR calls “legitimate interest” (e.g. she’s a customer, and you want to send her products related to what she currently has).

You need the ability to track that reason (also known as “lawful basis”) for a given contact.

 

How to comply

For most users, contact details are stored for the performance of a contract. When you use Rentman to register contact details for marketing purposes (CRM) you can add an additional field to the contact to store the lawful basis.

 

Consent

What it means

One type of lawful basis of processing is consent with proper notice. In order for Sofia to grant consent under the GDPR, a few things need to happen:

• She needs to be told what she’s opting into. That’s called “notice.”

• She needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Her filling out a form alone cannot implicitly opt her into everything your company sends.

• The consent needs to be granular, meaning it needs to cover the various ways you process and use Sofia’s personal data (e.g. marketing email or sales calls). You must log auditable evidence of what Sofia consented to, what she was told (notice), and when she consented.

 

How to comply

Since Rentman comes in (we don’t gather data of your customers on your behalf) after consent is given you should make sure appropriate processes are in place to comply depending on your method of doing acquisition. Withdrawing consent needs to be just as easy as giving it.

 

Deletion

What it means

Sofia has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Sofia’s contact from your database, including email tracking history, call records, form submissions, and more.

In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute and can depend on the context of the request, so it doesn’t always apply.

 

How to comply

Rentman supports GDPR-compliant permanent deletion of contacts in the “contacts”-module. As controller, we also are able to delete all the personal data Rentman stores.

 

Access / Portability

What it means

Just as she can request that you delete her data, Sofia can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

Sofia can also request to see and verify the lawfulness of processing (see above).

 

How to comply

Rentman enables you to grant any access/portability request by easily exporting Sofia’s contact record into a machine-readable format with the ‘export’ button.

You can verify Sofia’s lawfulness of processing using the associated contact property you’ve set up like we mentioned above.

 

Security Measures

What it means

The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.

 

How to comply

Rentman applies industry-standard practices around encryption. Together with the teams at our infrastructure partner, we are continuously improving our systems for authentication, authorization, and auditing at a massive scale to even better protect our customer's data.

 

FAQ

 

Is Rentman fully GDPR compliant on May 25th?

Yes.

As we approach May 2018, Rentman is focused on GDPR compliance efforts. During this implementation period for the regulation, we are evaluating new requirements and restrictions imposed by the GDPR and will take any action necessary to ensure that we handle customer data in compliance with the applicable law by the 2018 deadline.

You will receive notifications of new functionalities and changes to our Terms in the usual way.


When will Rentman be updating its legal documentation?

We will update our Terms of Service, Data Processing Agreement, and Privacy Policy by May 5, 2018, at the latest. However, we are working to roll out these updates sooner than that.

 

Disclaimer

This blog post is not legal advice for your company to comply with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the legal effects of the GDPR for your company in relation to using Rentman. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.

  • Back to blog

  • Share

Get started

Start today and get time back for work that matters