Wicket and GDPR
Data privacy is an extremely important topic, and lately, we’ve seen more and more media coverage and discussion about it. High-profile data breaches, and misuse and abuse of Facebook user data by third parties have dominated the headlines the past few months. Governments across the world have been working for years on creating laws that adequately protect consumer’s privacy. The European Union is set to release the newest consumer privacy laws this month.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) comes into effect. This new regulation replaces Data Protection Directive 95/46/EC and harmonizes data privacy laws across Europe. The GDPR affects any person, organization, or entity who processes and/or stores data of citizens of the EU. Wicket and some of our clients fall under these new regulations.
Your organization as the Data Controller
Article 4 of the GDPR defines “Data Controller” as:
“(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
By collecting the data from your EU members or contacts, you and your organization are acting as the Data Controller. This data includes an EU citizen’s name, email, social media posts, IP addresses, or other metadata. So, how can you comply?
- Ensure you have obtained explicit, opt-in, and freely given consent from the user to gather and store their data. This consent can be withdrawn by the user at any time.
- When requested by a user, you must permanently delete all personal data you have collected about them
- When requested by a user, you must provide them with all personal data you have collected about them
- We recommend seeking legal advice to ensure your Privacy Policies cover you under the GDPR as you must be clear in how you are storing and using personal data
Wicket as the Data Processor
Article 4 of the GDPR defines “Data Processor” as:
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Your user data is processed and stored by Wicket. Wicket can help you obtain explicit consent from users, delete user data, and export collected data. For deletion and export of data please contact Wicket Support.
Wicket’s data is processed and stored on servers located in Canada. Canada is listed as a “Secure third country” by the European Union. The EU has confirmed that commercial organizations within Canada must adhere to privacy laws comparable to those in the EU. This means that data of EU citizens can be transferred to, and processed by, Wicket.
Wicket uses several industry-leading sub-processors for services such as hosting, email processing, credit card processing, and service monitoring. The services are as follows, and all have voluntarily certified to the U.S. Department of Commerce that they comply with the EU-U.S. Privacy Shield Framework
Amazon Web Services
Host for Wicket
Postmark by Wildbit
System email processing for Wicket
Sentry by Functional Software
Error logging and monitoring for Wicket
Geocoding of person record addresses for displaying on Google Maps
Credit card processing in Wicket
Moneris is a Canadian company and therefore can store, process, and transfer EU data.
Feature usage tracking in Wicket
Support ticket & knowledgebase system
If you have any questions about Wicket’s role in helping you adhere to GDPR, please reach out to Wicket Support. For legal questions, we suggest seeking legal counsel.