ConnectWise partners

Are you ready for GDPR?

GDPR is here. Ensure your company has a sound strategy around personal data collection!

ConnectWise has self-certified to the EU- US Privacy Shield and has used Privacy Shield as the basis to transfer EU personal data to the US in compliance with the EU data protection requirements in the GDPR. On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring the EU-U.S. Privacy Shield Framework is no longer a valid mechanism for such transfers. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. The U.S. Department of Commerce will continue to administer the Privacy Shield program and ConnectWise will continue to participate in the EU-U.S. Privacy Shield.

The GDPR provides for other valid legal mechanisms (including EU Standard Contractual Clauses) for ConnectWise to transfers of personal data from the European Economic Area to the US in relation to ConnectWise's services. ConnectWise has updated our Data Processing Addendum to implement the Standard Contractual Clauses in place of Privacy Shield.

Even though Privacy Shield is no longer a lawful basis for transfer, ConnectWise will continue to participate in and maintain its certification under Privacy Shield. This means that ConnectWise will continue to fulfill its Privacy Shield obligations. This includes that ConnectWise will continue to adhere to the Privacy Shield principals in respect of the data that ConnectWise collected under Privacy Shield. ConnectWise will also continue to offer the Privacy Shield arbitration and redress mechanisms.

What is GDPR?

GDPR refers to the European Union General Data Protection Regulation. It’s arguably one of the most notable privacy and data protection regimes, particularly because of its far-reaching application. GDPR is intended to streamline and harmonize several different privacy laws that existed across individual European Union Member States. GDPR is designed to empower individual data subjects, giving them more control over their own privacy and the usage of their personal data.

"Personal data is any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

— The European Commission

Why should partners care?

This new regulation strengthens previous data protection efforts in the EU, providing additional enforcement powers for protecting data subjects’ personal information. The GDPR spells out the right of data subjects, including:

Right to consent

Companies must generally provide a clear and legible way to obtain consent from data subjects before processing their personal data. It must be as easy for an individual to withdraw consent as it is for the individual to give it.

Right to access

Data subjects have the right to access their personal data and obtain information on how their personal data is being utilized by a company.

Right to be forgotten

Data subjects have the right to request that any personal data collected from them be erased by the same companies that collected it, subject to certain conditions.

In addition, GDPR also imposes mandatory breach notification obligations whenever a company experiences a data breach that is likely to “result in a risk for the rights and freedoms of individuals”. There are incentives for regulators across Europe to enforce these personal data rights; companies found to be in non-compliance with certain GDPR requirements can be fined up to 4% of their total worldwide annual revenue or €20 Million (whichever is greater).

How far does GDPR reach?

As mentioned, one of the most notable changes from the existing EU framework is GDPR’s far-reaching application. Per the EUGDPR.org website, the rules apply to both controllers and processors meaning 'clouds' will not be exempt from GDPR enforcement. So even if your organization does not have a physical presence in the EU, you may be subject to GDPR.

What should you do?

If you’re not GDPR compliant, now is the time to do so. Partners may consider conducting a GDPR assessment and obtaining legal counsel for their business to advise on GDPR obligations. As part of the process, partners may consider reviewing their data collection policies and processes and taking steps to understand what personal data the company collects and where it’s stored. Can you provide a well-defined purpose for collecting each piece of data from your customers, if asked? Do you have clear mechanisms to obtain consent where required? Be prepared!

 

See the ConnectWise GDPR Readiness checklist >>
Helpful links to learn more

The EU’s GDPR homepage 

A PDF version of the GDPR (as of April 6, 2016)

Cloud Services Provider AWS GDPR Compliance

Cloud Services Provider Azure GDPR Compliance

Microsoft’s GDPR Policy

Please be advised that ConnectWise is not your attorney, and this information is not legal advice. This information does not provide, does not constitute, and should not be construed as, legal advice. It is for educational purposes only and is not to be acted or relied upon as legal advice. Use of this information does not create any attorney-client relationship between you and ConnectWise. The information does not constitute legal advice and is not a substitute for competent legal advice from a licensed attorney representing you in your jurisdiction. Partners should seek advice from their legal counsel to determine your legal obligations.