GDPR and Cflow
This article covers what EU’s GDPR is about, as well as the features and capabilities of Cflow that can help you build GDPR compliant custom apps/workflows.
Note: The content presented in this page is not to be construed as legal advice. Please contact your legal counsel to learn how GDPR impacts your organization and what you need to do to comply with GDPR.
What is GDPR?
The European Union (EU)’s General Data Protection Regulation (GDPR) is a new regulation that came into effect on the 25th of May, 2018. It aims to harmonize the data privacy laws across the EU, and (in particular) protect the rights of residents of the EU with regard to the processing of their personal data. It recognizes the data privacy rights of EU residents and lays down rules relating to the processing of their personal data.
At its core, the GDPR aims to give EU residents full control over their personal data.
What is Personal Data?
In the context of GDPR, personal data is any data that can directly or indirectly help identify a natural person. This includes, but is not limited to: name, address, phone number, email address, IP address, habits, and photos.
When and Where Does GDPR Come Into Play?
GDPR applies for any activity that collects or processes the personal data of EU residents. It does not matter if the said activity takes place inside the EU or not. GDPR has a global reach.
Why Be GDPR Compliant?
EU’s GDPR came into effect on the 25th of May, 2018. It is legally binding. The concerned Supervisory Authority (as defined by GDPR), may fine the non-compliant person or organization up to 20 million Euros or 4% of their annual worldwide turnover from the preceding year, whichever is higher. Levying a fine is in place for two reasons:
- A deterrent, so that Data Controllers and Data Processors act responsibly, and adhere to GDPR’s guidelines
- A compensation for the persons who have suffered material or non-material damage as a result of an infringement of GDPR
Key Roles that GDPR Identifies
- Data Subject: A resident of the EU from whom, or about whom, data is collected and/or processed
- Data Controller: The person or organization that defines the purpose and means of collecting and processing data
- Data Processor: The person or organization that processes the collected data on behalf of the Data Controller
In this context, the following two scenarios come into play:
- When you sign up with Cavintek’s Cflow, you act as the Data Subject and Cavintek acts as the Data Controller.
- When you use Cflow to build an app, the natural persons that you collect data about (the users that you share your app with or use your app, for instance) act as the Data Subjects for that app. You act as the Data Controller and Cavintek acts as the Data Processor
Addressing rights of Data Subjects
The following are the Data Subject Rights that GDPR identifies, and how Cflow helps you address them in your apps/workflows:
Right to be informed: Add a Large Text Box field to your form
Right to access, right to erasure, and right to be forgotten: You need to forward the requests you receive from your users to email@example.com. Our Support team will analyze the request and guide you on how to act on it.
- With their right to access, the Data Subject can demand Data Controllers to furnish the following: the personal data (of the Data Subject) that was collected and processed, how it was obtained, how it is processed, and to whom it was shared with — all the details from point of collection to point of storage
- With their right to erasure, the Data Subject can demand that Data Controllers erase all their personal data
- With their right to be forgotten, the Data Subject can demand for their data to be completely erased
Right to rectify: Users can edit their records by accessing the respective reports.
- The Data Subject has a right to obtain from the Data Controllers, without undue delay, the rectification of inaccurate personal data concerning them, and complete any incomplete data point.
Right to objectto processing of their personal data: Add a Confirmation checkbox to your form
- Use separate Confirmation checkbox fields to capture the Data Subject’s consent to process their personal data and define your workflows such that these permissions are checked before they are processed. To give or take away their permission, the Data Subject can simply update the relevant field accordingly.
Right to data portability: Data submitted by your users can be exported as spreadsheets and PDFs
- The Data Subject has a right to receive all their personal data, submitted to the Data Controller. To do this, users can simply export their records from reports.
Implement some best practices
You can leverage the features and capabilities of Cflow to implement the following in your apps: