What you need to know before you discuss GDPR with the Client/PMO!
- BE AWARE and BE ADVISED: ANY questions you may be asked about the legal or security aspects of GDPR, or, should a client/program office request guidance in any way, they should be immediately directed to Privacy@Beeline.com for assistance.
- In regards to GDPR, the role of any client-facing Beeline staffer is limited to turning on configuration settings to enable the Controller Admin user role and the Grant Controller Admin user role.
- Advising a client, program office, or the assigned controller administrator IN ANY WAY regarding the erasure of a resource or user is prohibited.
- At no time or for any reason should Beeline staff perform the erasure themselves or advise the client/program office/controller administrator to do so, or not to do so.
- Once a resource or user record is erased, this data removal is permanent. There is no system capability that can retrieve or reinstate these erased records.
- It is the responsibility of each client, in coordination with their managing program and designated Data Privacy Officer, to determine the policies they will establish in order to comply with GDPR requirements. Advisors as to compliance need to be legal/legislative specialists and that is not Beeline’s role.
- GDPR-specific terminology is standard across all client accounts. The system terminology may not be removed, changed, or adjusted.
What is GDPR?
GDPR – General Data Protection Regulation is European Union (EU) based legislation that gives the EU the power to hold businesses and organizations accountable for how they collect and handle personal data. This legislation was passed in 2016 with a two-year period for businesses and organizations to prepare for compliance by the May 25, 2018 effective date.
One of the key aspects of this legislation is an individual’s Right to Erasure, also known as Right to be Forgotten. This gives an individual (i.e., data subject) the right to have their personal data erased from a data system.
Who is impacted by GDPR?GDPR is applicable to anyone who lives, works, or travels through the EU. Businesses or organizations that process these individual’s personal data must comply with these regulations regardless of where the business or organization is located.
Who is not impacted?Citizens of non-EU member states who do not live, work, or travel through the EU are not impacted. However, as noted above, businesses or organizations outside the EU that process personal data of anyone who lives, works, or travels through the EU are subject to these requirements. This is known as the principle of “territorial scope”.
Who is responsible for GDPR compliance?Clients always retain ownership to their data. This is a standard article in all client contracts. Beeline is the data processor. Therefore, the client is responsible and accountable for GDPR compliance.
What is the penalty for failure to comply?The fines and penalties are defined in the legislation. Clients/program offices should consult with their internal legal/legislative advisors on any issues regarding penalties or compliance. Beeline staff should never be included or participate in these discussions.
What is Beeline’s role in regards to GDPR?
- GDPR-specificterminologyusedin system notifications, warnings, or screen displays will be standard across all client accounts. This content cannot be adjusted to be client specific.
- Data erasure is irreversible.
- In Beeline VMS: Beeline users do not grant either the Grant Controller Admin user role or the Controller Admin user role. (The Grant Controller Admin user role has the ability to grant the Controller Admin role to another user.)
- In IQN VMS: A Beeline user will have no visibility to the Controller Admin user role when impersonating a CAM (Client Account Manager) or a Client Admin in an account.
- Clients who need a comprehensive list of Beeline VMS or IQNavigator standard data fields in order to determine if these fields were used to collect/store personal information should contact Privacy@Beeline.com for assistance. A list of client-defined fields (CDFs) will be visible to the designated Controller Admin once the Right to Erasure feature is activated. Review the Controller Administrator Reference guide for details. (Links to the Beeline VMS and IQNavigator versions of this guide are provided in the Additional Resources section below.)
How should Support calls or JIRA tickets related to GDPR be handled?It is the sole responsibility of the client and/or program office to determine their process steps for “right to erasure” requests. It is the responsibility of the client’s Controller Admin to process these requests and to ensure that the request has been completed. As previously stated, at no time or for any reason should Beeline staff perform the erasure themselves or advise the client/program office/controller administrator to do so, or not to do so. In addition, at no time or for any reason should the contents of a JIRA ticket include the name(s) of any individual(s) who have requested to be erased.
- If the contact is made by the individual who wants to be erased, then they should be referred to the client’s Data Control Administrator*.
- If a client useristhecontactanda ticket is logged, the ticket should NOT include the name(s) of any individual(s) to be erased.