Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world.

The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

Roles in GDPR

The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:

  • Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to identify someone from it.
  • Data subject — The person whose data is processed. These are your member, customers or site visitors.
  • Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles subscription data, this is you.
  • Data processor — A third party that processes personal data on behalf of a data controller. This is Us (Upodi red.).
  • Data processing — Any action performed on data, whether automated or manual. This is what Upodi does as a data processor on your behalf, as the data controller.

Should I avoid storing any data then?

The simple answer is NO. GDPR is about explaining the use of the data, not prohibit the storing the data. In addition, there are several country specific laws that might require that you store data. Examples of these are the Act of Bookkeeping ("bogføringsloven") in Denmark, similar used in the Nordics.

Any subscription business store various data on its members, users and/or tenants. Most of these data are not subject to the scope of Personal Data.

Safe data to store

To allow proper invoicing and payment processing, storing the following information is a minimum requirement:

  • Name and/or company name.
  • Address, zip, postal and city.
  • Country.
  • Email address and/or phone number.
  • Customer number, id or identification.

Unsafe to store

Though Upodi provide the ability to store any type of data, we suggest to avoid storing the following Personal Data:

  • CPR, citizen, personal number
  • Biometrics information such as shoe-sizes, clothes-sizes, food and allergies preference
  • Medical information
  • Any health oriented information

Should you require to store some of these data due to the nature of your subscription business, allow us to help you with a data termination service as part of Upodi, which cleanses data from dormant and cancelled members, users and/or subscriptions.

Acting on request

Moreover you must document, explain and act on the data subjects’ privacy rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Our API allow you to retrieve the full dataset of any member, enabling you to provide the full data subject overview to any request.

What’s Next
  • Read about using the API to present data subject.