In this article
The following article provides an overview of how GDPR (The EU General Data Protection Regulation) may affect you, changes Arlo has made to help you meet your obligations, as well as considerations for your processes.
Please use the menu on the left to navigate this article.
Important note: This article is not an exhaustive list of changes you need to make and is not legal advice. We recommend you consult a specialist in GDPR legislation to ensure you are meeting your obligations as the Data Controller.
What is GDPR?
The EU General Data Protection Regulation (GDPR) is a new EU wide set of data protection regulations that come into place on May 25th 2018. It supersedes the existing regulations with an aim to make things more unified and more comprehensive. It is the largest and most important change to data privacy regulation in 20 years. It recognises the changes to how data is collected, stored, and used with the increasing use of internet and cloud technologies.
It means your customers have the right to control the data you hold and process for them in these ways:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
In terms of how GDPR affects you and Arlo, you are the Data Controller which means you are the party primarily responsible for managing the data collected, and carry the data protection responsibility for it. Arlo is the Data Processor who acts on your instructions on what data to process and how to process it.
We have been working to meet our obligations as a Data Processor and to help you with your obligations as the Data Controller.
Does GDPR affect my organisation?
GDPR may affect all of Arlo's customers in some way. If you are unsure of your obligations, please consult a lawyer specialising in GDPR.
Organisations who are based in the EU
Organisations who are based in or have offices in the EU will all have obligations under GDPR.
Organisations who may conduct business in the EU
If you conduct any business within the EU, you may have obligations under GDPR. For example, if you hold events within EU countries.
Organisations who may hold data of anyone in the EU
Even if you don't conduct business within the EU, you may have obligations under GDPR if you have or may have, personal information of people within the EU. For example, you may run an online event or course advertised globally that someone from the EU will participate in and that you will hold data for.
For organisations with no business or contacts within the EU, GDPR can still be seen as best practice for your collection of and use of data, as countries around the world are looking to tighten their data protection laws. GDPR would serve as a good baseline for a general approach to privacy. Aligning your processes in Arlo now with GDPR will also help you meet your obligations if you are to hold any business or customer data within the EU in the future.
What changes is Arlo making to help us comply with GDPR?
How Arlo helps you achieve your compliance as a Data Controller
- By storing customer data in Arlo, you benefit from Arlo’s best practice compliance with respect to data storage and security. For example, all data in Arlo is encrypted at rest and stored in AWS; a provider that is fully compliant with GDPR. Learn more.
- We’re enhancing Arlo to help you stay GDPR compliant while continuing your business activities. For example, we're adding explicit configurable consent fields into our registration process to allow you to capture and store specific consent for data processing activities. Learn more.
Arlo will be making enhancements to the Arlo platform to help you meet your obligations
The following is a list of enhancements to the Arlo platform, with links to learn more:
- Explicit consent fields and data restriction fields with version control. Allows you to get a complete snapshot of the customer's consent at the time it was given.
- A new Contact Report.
When will these changes be available?
We are working to have these changes to the platform available to all customers the by the middle of May 2018.
We recommend you start aligning your processes in Arlo with the changes we are making now in preparation for May 25th 2018.
What considerations do I need to make for my processes in Arlo?
Consent to hold data for processes related to marketing
Determining the legal basis for sending marketing to your subscribers is important. Your team may have determined that explicit consent is required. Arlo supports this by allowing you to add one or more consent checkboxes to your registration forms. These checkboxes are a special type of field in Arlo (quite different to custom fields) that allow you to capture the consent response and report on a snapshot of that consent at the time it was given.
GDPR requires that you make certain parts of these policies clear, such as what data you collect, why you are collecting it, what you use that data for, and what other companies you might share that data with. Learn where to update these.
You should also make it clear to your users that you use processors such as Arlo to process and store some of their personal data. You can disclose this by making sure that you have Arlo included on any web page you have that lists your data sub-processors and ensuring that your terms and conditions and privacy policies clearly state this.
When a customer requests to have their information deleted (the right to erasure)
If a customer requests that you delete their data:
- Ensure you are not deleting any data that you need for other laws superseding GDPR, for example, you may be required to hold certain data for financial transactions.
- Check for and merge any duplicate data for this contact.
- Email firstname.lastname@example.org with:
- The contact's full name and email address
- A request to delete each part of the data, for example, all contact, registration, and invoice data.
Note: You may also need to repeat this for your other business systems that may or may not integrate with Arlo, for example, your accounting system, CRM, or campaign management system. Arlo may not necessarily delete the contact data in integrated systems when you delete data in Arlo. Click here to see more information about Arlo's subprocessors.
If you send campaigns to your contacts and previous registrants, and you capture their consent on your registration forms, you can use query filters to identify only those prospects who have given consent.
To help you update the consent status of existing contacts, you can edit existing contacts' consent, where you have their permission.
Data Processing Agreements (DPAs)
As a Data Processor, Arlo allows customers to enter into a Data Processing Agreement (or Data Protection Addendum) that establishes a legal basis for allowing Arlo to process data for you as a Data Controller.
You can request a DPA from Arlo for your organisation at any time by emailing email@example.com.
Do I need a Data Processing Agreement?
As per GDPR Article 28(3), you need a DPA in place with all processors you have engaged (including Arlo) that process personal data for you as a Data Controller.
How can I find out more?
Arlo will provide a video by May 11th to demonstrate the changes we are making to the platform. We will email this to all of our customers and also provide a link here when this is available.
If you have any further questions about Arlo and GDPR, please email firstname.lastname@example.org.