GDPR Frequently Asked Questions
What is GDPR?
The General Data Protection Regulation (GDPR) applies to all companies processing the personal data of people in the EU, regardless of the company’s location. Compliance with this regulation has been in effect since 25 May 2018.
The intent of GDPR is to give individuals (who are known in the regulation as “Data Subjects”) control of their personal data. For many activities, this requires IEEE to get consent from or provide notification to a person in order to be able to use their personal data. (see FAQ, “What is consent?”). There are other ways to lawfully process personal data – see FAQ, “Is Consent the only way to lawfully process personal data under GDPR”.
For IEEE, that means data about anyone who interacts with us, including members, customers, potential customers, and so on may be covered by GDPR.
All IEEE activities must comply with this regulation, and any other applicable data privacy regulations (such as HIPAA and CASL, Canada’s Anti-Spam Law) currently in effect.
IEEE is considered a Data Controller because it is an entity that determines the purposes, conditions, and means of the processing of personal data. IEEE staff must also comply with data privacy regulations.
What is personal data?
Personal data is defined as any information relating to an identified or identifiable person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to information such as a name, telephone number, email address, location data, IP address or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Some personal data may be considered “sensitive” and require special care such as encryption. Sensitive data includes categories such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or a natural person’s sex life and/or sexual orientation
Anyone collecting sensitive personal data should also consider the need for the collection, processing, and storage of that data, and determine if it is truly necessary. Because IEEE volunteers conduct much of the activity of the organization, this includes any work that brings volunteers in contact and control of personal data.
Additionally, these requirements would apply to third-party sources of personal data such as event registration vendors, market research companies we’ve contracted with, and the like. The current version of IEEE’s Master Service Agreement, available on the IEEE Strategic Sourcing contracts template page, includes the required language.
What is Consent?
For privacy purposes, we ask people if we may use their data for specific purposes. At IEEE (and at many other companies), we list how a person’s data will be used (at a high level) in our Privacy Policy, then ask each person to accept that policy. This acceptance becomes their consent for the uses outlined in the Privacy Policy.
Related information:
- You can find the IEEE Privacy Policy as a link on many of our web sites’ home pages.
- Consent is not required for many uses of a person’s data. For example, if a person purchases an IEEE membership (or IEEE product, etc.) , IEEE will provide member services that are included with the membership. See FAQ, “Is Consent the only way to lawfully process personal data under GDPR?”, for more detail.
- In addition to consent, some IEEE groups provide granular subscriptions (opt-in or opt-out). For example, an individual may accept the Privacy Policy but opt out of emails. See FAQ on subscriptions for more information.
At IEEE, does GDPR apply just to data from people in the EU?
Because protecting privacy is important to IEEE and to ensure all relevant data is covered, we made the decision to work to apply the protections of GDPR to all personal data, regardless of the geographic source of that data.
What are the risks and consequences if IEEE does not comply with GDPR?
Not complying with GDPR brings both reputational and financial risk to IEEE. If we do not adequately protect personal data, individuals may be reluctant to engage with IEEE. In addition, the regulation does provide for significant financial penalties for non-compliance. EU regulators have the authority to levy a fine in an amount that is up to the GREATER of €20 million (well over $20 million US) or 4% of global annual turnover in the prior year.
How is IEEE collecting consent to use people’s data?
For IEEE, the primary method of getting consent is through acceptance of the IEEE Privacy Policy. The Privacy Policy describes a number of ways that IEEE may use personal data, including categories such as:
- To communicate with you about a meeting, conference, or event
- To administer products
- To process transactions
We are collecting acceptance to the Privacy Policy through many interaction points (such as when members join or renew, when a person registers for an event, etc.). For the most part, anytime we are collecting personal data, we should be collecting acceptance of the Privacy Policy or confirm that the individual has already accepted it.
In addition to the Privacy Policy, some activities may have separate terms and conditions that individuals must accept. For example, when signing up for automatic renewal of membership, individuals must accept terms and condition about charging of their credit card and that all selected memberships will be automatically renewed. Similarly, joining IEEE or registering for conferences will have specific terms and condition that need to be accepted.
In order to efficiently collect acceptance data,, we have begun using a centralized Consent Management System. This tool can be integrated into websites and applications. For more details, see the information below on integrating the IEEE Consent Management System into your websites. This system will be our foundation to track and manage consent, subscriptions, and other points of user information. If you are working on an activity or event that has terms and conditions, you need to pass that information to the consent management system.
Any application that uses Single Sign On will already confirm whether or not a person has accepted the Privacy Policy.
Is Consent the only way to lawfully process personal data under GDPR?
No, the GDPR specifies a number of allowable reasons for processing personal data, including contractual obligations and legitimate interests.
Contractual Obligations: It may be necessary to process some personal data to meet your contractual obligations with a member or customer. For example, when people order a digital product, you need their email address to deliver it.
Legitimate Interest: You may able to use personal data in ways people would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
For example, organizations such as IEEE have legitimate interest in protecting against piracy and IP theft. To do so, we may track excessive downloads from IEEE Xplore, which may include capturing some personal data such as IP address. Similarly, we may rely on consent (that is, acceptance of the Privacy Policy) for our marketing communications, but may rely on legitimate interests to justify analytics to inform our marketing strategy and to enable it to enhance and personalise the “consumer experience” we offer customers and members.
When using legitimate interest as the reason for processing personal data, we need to document the reasoning behind that, prior to doing so. This documentation would include:
- Purpose test – is there a legitimate interest behind the processing or communication?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
The test for legitimate interest will be applied as appropriate by the GDPR Taskforce on behalf of the business to ensure that they are completed correctly and we have a record of their applicability. Individual business groups should contact IEEE’s DPO if they have any questions.
What rights does someone have under the GDPR?
Under GDPR, individuals may have certain rights to control their personal data. Key among these are:
- Right to be Forgotten/Erasure: Individuals may require IEEE to erase their personal information from databases.
- Right to Access/Data Portability: Individuals have the right to know what data we have on them and if asked, Data Controller must provide a copy of personal data in a commonly used and machine readable electronic format.
- Right to Rectification: Individuals have the right to correct or supplement incomplete or incorrect information.
- Right to Object: Individuals have the right to object to the processing or use of their data, including direct marketing.
If an individual wishes to avail themselves of these rights, they need to send an email to privacy@ieee.org with the phrase “GDPR Request” in the subject line.
This email will trigger a process that as been developed to roll this request out to all OUs to determine what information we have on that individual and how we can respond to their request.
All staff and volunteers managing personal data may then be required to search their data for the individual making the request, take the needed action (e.g., delete, make a copy, etc.), and report back the staff lead for Data Subject Requests in their OU.
How do I determine if I can send an email to a list of people?
IEEE has a number of tools that can be used to communicate with members or customers and still ensure we remain compliant. IEEE systems or services such as the self-managed vTools eNotice or staff-managed BDRS have the ability to confirm acceptance of the privacy policy and only send emails to individuals who have indicated acceptance.
For other lists, IEEE has developed a List Verification tool for staff and volunteers that can compare email addresses to the master database of those that have accepted the privacy policy. Information for that tool is available on List Validator link on the GDPR Resource Page.
Specific guidelines are being developed to help volunteers and staff to understand when it is appropriate to communicate with users based on interactions beyond consent. These will also include when not to include someone in generalized marketing outreach.
If I collect data offline or from a tool not connected to the consent management system, how do I get that consent into the Consent Management System?
IEEE has developed a List Upload tool that staff and volunteers can use to add the information of those that have accepted the privacy policy to the master database.
Instructions for using the tool will be available on List Validator link on the GDPR Resource Page.
How do I handle data breaches?
A data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This could include a lost or stolen laptop that contains personal data, the accidental emailing of personal data to non-authorized users, and so on.
Under GDPR, IEEE has only 72 hours to notify EU authorities after discovering a data breach, so rapid action is important. If you suspect a data breach, immediately contact the IEEE IT Security Team at IT-Security@ieee.org.
What do I need to do for websites I manage?
There are two key actions that website owners should take. First, IEEE websites need to display a specific cookie notice when people first visit that website. This banner alerts people when they first visit a website that we are using cookies and provides a link to the privacy policy.
Instructions for adding the cookie banner are available Cookie Collection link on the IEEE GDPR Resources Page.
Secondly, for websites that collect personal data, website managers should connect to the IEEE Consent Management System. instructions are available on the IEEE GDPR Resources Page.
Can Anonymization, Pseudo-anonymization, and Encryption help?
Yes, if correctly done. Anonymization, where it is no longer possible to identify specific individuals, takes that data out of the scope of GDPR. Nonetheless, if appropriate, data should be anonymized.
Pseudo-anonymization, where an individual can only be identified with additional information (such as a token or a look-up table) can be an important part of privacy by design and reduce the risk of leaking personal data. However, that data is still under the scope of GDPR.
Similarly, encryption, while not mandatory under GDPR, is another tool that we can use to protect personal data. This includes such practices as only transmitting personal data through secure methods. For example, using sFTP rather than FTP, encrypting laptops or portable storage devices that contain personal data, ensuring websites use “https” rather than “http,” and so on.
What is Do Not Track (DNT)?
When you browse the web on computers or mobile devices, you can send a request to websites not to collect or track your browsing data. It’s turned off by default. However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
There is currently no standard for how DNT consumer browser settings should work on commercial websites. If users enabled the DNT signal in their browser, their browsing history and other information should not be collected, but there are no legal or technological requirements for the use of DNT. Websites and advertisers may either honor or ignore DNT requests.
IEEE currently does not honor the DNT settings as we use cookies, we capture information required for our websites to function normally, and this is required to do business including security of our systems, capturing analytics using webtrends, google analytics and other tools used across the enterprise. We also don’t have control over the third parties that are integrated with our websites.
How do I get more information on GDPR and how IEEE is complying with it?
For further information, please visit the IEEE GDPR Resources page.
Contact Information:
privacy@ieee.org
IEEE
445 Hoes Lane
Piscataway, NJ 08854 USA
Glossary of Terms
Data Subject: A person who has data from the European Union (EU) or from Iceland, Norway, or Liechtenstein
Data Subject Request: A formal request by an individual from the EU to avail themselves of their rights under GDPR such as obtaining copies of their data, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller (another person or organization that controls the individual’s personal data).
Personal Data: Any information relating to an identified or identifiable person (known in GDPR terminology as a ‘data subject’)
GDPR: The European Union General Data Protection Regulation, a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
Date: 18 June 2018 Ver 1.0