What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. The regulation outlines that EU residents will now have greater control over how their personal data is stored, processed, and used by organizations within or outside the EU or EEA. All organizations that process data of EU residents come under the purview of this regulation, irrespective of their location.
This regulation will come in effect from May 25, 2018.
For more information on GDPR, see EU GDPR Official Website.
Brand Binary’s Commitment
Australian Cyber Corporation Pty Ltd (Brand Binary) is committed to protect the data of its customers and end-users both through robust internal security processes and technological tools, irrespective of the location of our customers and end-users across the globe. The company has taken extra measures to ensure that not only is the company GDPR ready and compliant but also provides the necessary tools and capabilities to its customers that allows them to be GDPR compliant with their end-users.
Brand Binary’s GDPR Compliance
As a Data Controller, Brand Binary is responsible for the way it collects, processes, and stores customer data. To ensure GDPR compliance, we have taken a series of measures to ensure that Data Subjects not only have full control over data they share but also to ensure that their data is extremely protected in every way.
Here is what Brand Binary is doing to be GDPR ready:
1. Full Transparency
To honor the ‘Right to be informed’ principle of GDPR, we have:
- An application interface to ensure that the customer understands in a clear and concise way at each stage what data is required and for what purpose
- Ensured that no Personally Identifiable Information (PII) of the customer can be collected without the explicit consent of the customer
- Added capabilities to our products and services that allows our customers to take consent from their end customers before collecting PII
2. Data Control
To honor the ‘Right of Access’, ‘Right to Rectification’, ‘Right to erasure’, ‘Right to restrict processing’, and ‘Right to Data Portability’ principles of GDPR, we have:
- Setup processes that allow customers to request a download of all data connected with them and serving such requests in a timely manner. Within a short period of time, we will be adding this feature to our application interface to make it easy for our customers to take this action on their own, without any delay
- Setup processes that allow customers to easily edit personal information anytime such as registered email address, billing information, and payment information
- Setup processes that allow customers to request deletion of all data connected with them and serving such requests in a timely manner. Within a short period of time, we will be adding this feature to our application interface to make it easy for our customers to take this action on their own, without any delay
- Setup options via our application interface that allow customers to control how often they receive transaction alerts, notifications, reports, and other content via email communication
- Ensured data minimization to ensure that we collect the exact data points we need to serve our customers in the best way possible and to eliminate all unnecessary data points
- Setup processes to ensure that we retain data for a maximum period of 26 months after the customer has ceased to use our products and services through the method of non-subscription (compared to the case of ‘account delete’ where all data is erased immediately)
3. Data Security
As part of our GDPR compliance strategy, we have laid special emphasis on data security measures. Specifically, we have:
- Ensured that all data—at rest or in-transit—is secured via encryption using methods such as AES256 and SSL (via Cloudflare.com)
- Ensured that access to customers’ data is limited to select personnel only
- Ensured that access to servers and third-party applications are protected using multi-factor authentication to prevent unauthorized access
- Added a layer of registered email verification that ensures only real customers use our products and services, enhancing data protection of end users
- Added a layer of verification of URLs encoded into QR Codes using Google SafeBrowsing API to restrict the use of infected URLs, enhancing data protection of end users
- Setup logging algorithms to our servers and apps to ensure investigation capabilities and accountability
- Setup processes to notify regulatory authorities and affected customers about data breaches within 72 hours
General Data Protection Regulation (GDPR) is a European Union (EU) law that will come into effect on May 25, 2018. It has been approved by the European Union and will have regulations that are better suited to protect the data and privacy rights of residents in EU and the European Economic Area (EEA).
Some of the key points of GDPR include:
- It will replace UK’s Data Protection Act and EU’s Data Protection Directive which came out in 1984 and 1995 respectively
- Companies irrespective of their size, nature of work, and location will now be responsible for notifying customers about data collected, processed, and stored. This means that companies will now have to explicitly state the purpose behind collecting the data from the users
- The scope of data collected will include any Personally Identifiable Information (PII) including contact details, payment information, posts and images on social media websites, medical information, and IP addresses
- Users now have stronger rights to know what data companies hold about them
- The data has to be managed using best practices of data security, including encryption
- If users feel any collected data is infringing upon their privacy, they will have the right to have the data deleted
- In the event of a data breach, be it accidental or part of an orchestrated cyber-attack, companies will have to disclose the attack to the concerned authorities within 72 hours of its occurrence
If you have any questions, you can reach out to us at [email protected]/brandbinary/
The following are the key stakeholders in GDPR:
- Data Subject: Any individual who constitutes the subject of the personal data
- Data Controller: An individual who establishes the purpose and methods of processing the personal data. This can be a legal or natural person, a public agency or authority which can work either individually or in tandem
- Data Processor: This is an individual who processes personal data in place of the Data Controller. It can include a legal or natural person, public agency, authority or any other body
- Joint Controllers: This constitutes two or more controllers who work in concord to establish the purpose and means of processing the personal data
- Representative: A natural or legal person from the European Union who has been elected by the controller or processor to represent these two with respect to carry out their respective commitments
- Sub Processor/Third Party: Refers to someone who is a natural or legal person, agency or body, or public authority, excluding the data controller, processor, subject, and persons. Such an individual is under the direct influence of the data controller or processor and is authorized to process personal data
- Supervisory Authority: An independent public authority who has been appointed by any of the Member States of the European Union to continually keep checking that the laws are applied wherever applicable
If you still have unanswered questions regarding GDPR or data privacy, you can reach out to us at [email protected]/brandbinary/
In simple terms, any data which can be used to identify an individual is known as Personally Identifiable Information (PII). These can include but not restricted to:
- Biometric and behavioral data
- Digital images
- Email and mailing addresses
- IP address,
- Login IDs
- Phone numbers
- Social media posts
- Social security numbers, etc.
If you still have unanswered questions, please reach out to us at [email protected]/brandbinary/
If you are using Brand Binary as a customer and have agreed to our terms of service, you do not need to sign an additional Data Processing Agreement. As of May 25th 2018, our user terms of service include a provision to ensure compliance with GDPR.
If you are a customer who needs further documentation of compliance with Brand Binary acting as a Processor (for example, as a customer who collects and processes the end user’s data via the Lead Generation feature through Brand Binary) you can sign our DPA as follows.
Here is a sample of what our DPA looks like: Brand Binary DPA
You can also request for a customised DPA Form Here: Request Data Processing Agreement
You may email us at [email protected]/brandbinary/ for further information.
Any company which offers goods and services and processes the data of the citizens of the European Union will come under the purview of GDPR, even if the company is not based in a EU country. This applies even if you are sending newsletters and promotions to EU citizens.
This means that companies outside EU serving EU residents will have either become GDPR-compliant or else face the stringent penalties.
While users outside EU do not fall under this regulation, GDPR does protect the interest of people visiting Europe even if they are not a EU citizen.
If you still have unanswered questions, reach out to us at [email protected]/brandbinary/
Below are the list of differences between the former DPA and the current GDPR:
DPA (Data Protection Act)
GDPR (General Data Protection Regulation)
Came out in 1998 and covers information or data stored on a computer or an organised paper filing system
Will come into effect from May 25, 2018 and replace DPA
Applicable only in the UK
Applies both to companies based in the EU and those based outside the EU but provide goods and services to the citizens of EU
Monitored by the Information Commissioner’s Office (ICO)
Will be monitored by a Supervisory Authority (SA) in the UK and an SA in the other countries of the EU
No need for any business to have a dedicated DPO (Days Payable Outstanding)
DPO mandatory for any organization having more than 250 employees.
No requirement for an organization to remove the personal data they hold of their customers
Every customer will have the right to have their data including web records permanently removed
Privacy Impact Assessment (PIA) are not a legal requirement
PlAs will be mandatory
Breach notifications not mandatory for most organisations
Organizations must report data breaches of any nature within 72 hours
Maximum fine is 500,000 Euros
Maximum fine is 4% of the global annual turnover or 20 million euros whichever is greater
Parental consent for minors not required
Parental consent for minors now mandatory
If you still have unanswered questions, reach out to us at [email protected]/brandbinary/
It is not mandatory for any EU personal data to remain in the EU. The GDPR does not put any restrictions whatsoever on the transfer of personal data outside the European Union.
If you have any unanswered questions regarding GDPR, you can reach to us at [email protected]/brandbinary/.
The financial liability for not complying in accordance with the GDPR is very high. Companies if found to be flouting the norms can be charged EUR 20 Million or 4% of their global turnover, whichever is higher.
If you still have an unanswered query, please reach out to us at [email protected]/brandbinary/