The following article provides an overview of how GDPR (The EU General Data Protection Regulation) may affect you, changes Arlo has made to help you meet your obligations, as well as considerations for your processes.
If you want to learn how to capture and report on data consent in Arlo see this article instead.
This article is not an exhaustive list of changes you may need to make and is not legal advice. We recommend you consult a specialist lawyer in GDPR legislation to ensure you are meeting your obligations as the Data Controller.
The EU General Data Protection Regulation (GDPR) is a new EU wide set of data protection regulations that came into place on May 25th 2018. It supersedes the existing regulations with an aim to make things more unified and more comprehensive. It is the largest and most important change to data privacy regulation in 20 years. It recognises the changes to how data is collected, stored, and used with the increasing use of internet and cloud technologies.
It means your customers have the right to control the data you hold and process for them in these ways:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
In terms of how GDPR affects you and Arlo, you are the Data Controller which means you are the party primarily responsible for managing the data collected and carry the data protection responsibility for it. Arlo is the Data Processor who acts on your instructions on what data to process and how to process it.
We have been working to meet our obligations as a Data Processor and to help you with your obligations as the Data Controller.
GDPR may affect all of Arlo's customers in some way. If you are unsure of your obligations, please consult a lawyer specialising in GDPR.
Organisations who are based in the EU
Organisations who are based in or have offices in the EU will all have obligations under GDPR.
Organisations who may conduct business in the EU
If you conduct any business within the EU, you may have obligations under GDPR. For example, if you hold events within EU countries.
Organisations who may hold data of anyone in the EU
Even if you don't conduct business within the EU, you may have obligations under GDPR if you have or may have, personal information of people within the EU. For example, you may run an online event or course advertised globally that someone from the EU will participate in and that you will hold data for.
For organisations with no business or contacts within the EU, GDPR can still be seen as best practice for your collection of and use of data, as countries around the world are looking to tighten their data protection laws. GDPR would serve as a good baseline for a general approach to privacy. Aligning your processes in Arlo now with GDPR will also help you meet your obligations if you are to hold any business or customer data within the EU in the future.
How Arlo helps you achieve your compliance as a Data Controller
- By storing customer data in Arlo, you benefit from Arlo’s best practice compliance with respect to data storage and security. For example, all data in Arlo is encrypted at rest and stored in AWS; a provider that is fully compliant with GDPR. Learn more.
- We’re enhancing Arlo to help you stay GDPR compliant while continuing your business activities.
What enhancements has Arlo made to help meet GDPR obligations?
The following is a list of enhancements to the Arlo platform, with links to learn more:
- Explicit consent fields and data restriction fields with version control. Allows you to get a complete snapshot of the customer's consent at the time it was given.
- This includes an enhancement to our contact importer to allow you to import consents you have already received from your customers.
- Explicit configurable consent fields into registration and leads process and contacts to allow you to capture and store specific consent for data processing activities. Learn more.
- A new Contact Report to help you report on your customers' consent status.
- Enhancement to campaigns to add only prospects who have given their consent.
- Single Sign On (SSO) to our management platform
- Password protection enhancement to scheduled reports.
GDPR requires that you make certain parts of these policies clear, such as what data you collect, why you are collecting it, what you use that data for, and what other companies you might share that data with.
You should also make it clear to your users that you use processors such as Arlo to process and store some of their personal data. You can disclose this by making sure that you have Arlo included on any web page you have that lists your data sub-processors and ensuring that your terms and conditions and privacy policies clearly state this.
If a customer requests that you delete their data:
- Ensure you are not deleting any data that you need for other laws superseding GDPR, for example, you may be required to hold certain data for financial transactions.
- Check for and merge any duplicate data for this contact.
- Email firstname.lastname@example.org with:
- The contact's full name and email address
- A request to delete each part of the data, for example, all contact, registration, and invoice data.
Arlo will overwrite the contact's record with blanks and set their record to archived. Any notes, leads, tasks, documents and emails (excluding invoices and credit notes) associated with the contact will be deleted.
The contact record will be immediately marked as archived, and any existing newsletter subscriptions and consents will be cleared.
For any orders where that individual is the order billing contact:
- The orders will remain in the system but with the contact's name and address on the order screen redacted with "(Erased)"
- Any existing invoices you've sent out for those orders will remain in the communication log with all details visible (including the name of the contact recipient and their billing address)
- The order financial figures themselves won't be changed
- Any registrations associated with the order and events will remain, but with the details of the contact being erased as appropriate
- Details of other individuals (as order contacts or registrants) will not be affected
The personal details of the individual may still be accessible via any exported reports you've generated and that Arlo will have saved in the communication log. For example, in PDF, XLS or CSV export attachments. If this is a concern, we can also purge the log of all attachments saved in the communication log. We are not able to selectively delete attachments so they would all need to be purged if you would like a complete erasure down to this level. By default we will not purge attachments from the log unless you request this.
While we delete all notes and data directly associated with a contact, there may be references to the personal details may still appear in content of *other* contacts such as in custom fields, notes, and tasks or anywhere that your administrators can type their own text or note content. You may need to review the details of related contacts or organisations to see if there is a mention of them by name and delete those notes.
You may also need to repeat this for your other business systems that may or may not integrate with Arlo, for example, your accounting system, CRM, or campaign management system. Arlo may not necessarily delete the contact data in integrated systems when you delete data in Arlo. Click here to see more information about Arlo's subprocessors.
If you send campaigns to your contacts and previous registrants, and you capture their consent on your registration forms, you can use query filters to identify only those prospects who have given consent.
To help you update the consent status of existing contacts, you can edit existing contacts' consent, where you have their permission. Learn more.
As part of the Master Subscription Agreement, Arlo's customers enter into a Data Processing Agreement (or Data Protection Addendum) that establishes a legal basis for allowing Arlo to process data for you as a Data Controller.
You can read the Master Subscription Agreement here.
Do I need a Data Processing Agreement?
As per GDPR Article 28(3), you need a DPA in place with all processors you have engaged (including Arlo) that process personal data for you as a Data Controller.