The General Data Protection Regulation (GDPR), which came into effect on May 25th, 2018 will set the new standard for consumer rights regarding the protection of their data across the world. The rationale behind the changes is to bring aging data collection practices up-to-date and incorporate data protection, privacy mandates, and best practices.

What is GDPR and does it apply to organizations outside the European Union(EU)?

The GDPR applies to any organization processing an individual’s personal data if the organization is either established in the EU, targeting in the EU, monitoring EU residents or performing these tasks as obligated via contract. While the GDPR is a EU privacy law, organizations outside the EU can also be subject to the GDPR if they hold and process personal data of EU citizens. The GDPR will give individuals more control over how their personal information is collected, transferred and protected. Additional information on GDPR can be found here.

---

How does the GDPR affect EverTrue?

EverTrue is committed to securely protecting our customers’ data and privacy and fully supports both the spirit and intent of the GDPR.

EverTrue is considered a “Data Processor” with respect to how we use and process the personal information of our customer’s constituents. EverTrue is considered a “Data Controller” with respect to how we use and process the personal information of users of EverTrue or prospective users or customers.

---

What steps has EverTrue taken to be compliant?

We took several steps to be GDPR compliant and ensure the highest levels of data protection and privacy:

• Personal Data Collection and Use - We completed a review of our policies and practices surrounding storage of personal data to ensure that such data is kept in a way that enables us to comply with the rights of individuals as provided under the GDPR.
• Release of a New EverTrue Privacy Policy - A new Privacy Policy was released on May 25th, 2018 that details our approach to the collection and use of personal information. This new policy also makes it clear how EU citizens can contact EverTrue for matters regarding their personal data, including the right to be forgotten and individual data access requests.
• Created new Customer Data Processing Agreement (DPAs) - EverTrue believes our customers should know what data we collect, how we use it, and that customers have control over it at all times. We also understand that adapting to GDPR can be challenging. To support our customers in their GDPR compliance journey, we have prepared a Data Processing Agreement (DPA) that summarises our customer’s data flow in EverTrue and the processes put in place to protect it. We reviewed the GDPR requirements with several sources and determined that since we are GDPR compliant and our customers often have a global presence, the best course of action for EverTrue is for all customers to have a DPA agreement in place. That DPA was delivered via email to a primary contact at your institution if you were an EverTrue customer prior to May 2018. All new customers (post-May 2018) will have this DPA included in their MSA.  

---

Can a Customer send personal data of EU constituents to EverTrue?

Organizations outside the EU can be subject to the GDPR if they hold and process personal data of EU citizens. Deciding whether to send such data to EverTrue is not necessarily relevant in determining whether the customer is legally subject to the GDPR.

---

How can I check if my organization is legally subject to the GDPR?

The content provided herein is provided for informational purposes only and is not meant to serve as legal advice. If you believe your organization could be subject to the GDPR, it is best to work with your legal advisor, who is familiar with your practices and constituents, to determine your obligations under existing laws.

---

For any other questions reach out to EverTrue Support at genius@evertrue.com.