GDPR Frequently Asked Questions
What is GDPR?
The General Data Protection Regulation (GDPR) applies to all companies processing the personal data of people in the EU, regardless of the company’s location. Compliance with this regulation has been in effect since 25 May 2018.
The intent of GDPR is to give individuals (who are known in the regulation as “Data Subjects”) control of their personal data. For many activities, this requires IEEE to get consent from or provide notification to a person in order to be able to use their personal data. (see FAQ, “What is consent?”). There are other ways to lawfully process personal data – see FAQ, “Is Consent the only way to lawfully process personal data under GDPR”.
For IEEE, that means data about anyone who interacts with us, including members, customers, potential customers, and so on may be covered by GDPR.
All IEEE activities must comply with this regulation, and any other applicable data privacy regulations (such as HIPAA and CASL, Canada’s Anti-Spam Law) currently in effect.
IEEE is considered a Data Controller because it is an entity that determines the purposes, conditions, and means of the processing of personal data. IEEE staff must also comply with data privacy regulations.
What is personal data?
Personal data is defined as any information relating to an identified or identifiable person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to information such as a name, telephone number, email address, location data, IP address or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Some personal data may be considered “sensitive” and require special care such as encryption. Sensitive data includes categories such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or a natural person’s sex life and/or sexual orientation
Anyone collecting sensitive personal data should also consider the need for the collection, processing, and storage of that data, and determine if it is truly necessary. Because IEEE volunteers conduct much of the activity of the organization, this includes any work that brings volunteers in contact and control of personal data.
Additionally, these requirements would apply to third-party sources of personal data such as event registration vendors, market research companies we’ve contracted with, and the like. The current version of IEEE’s Master Service Agreement, available on the IEEE Strategic Sourcing contracts template page, includes the required language.
What is Consent?
- Consent is not required for many uses of a person’s data. For example, if a person purchases an IEEE membership (or IEEE product, etc.) , IEEE will provide member services that are included with the membership. See FAQ, “Is Consent the only way to lawfully process personal data under GDPR?”, for more detail.
At IEEE, does GDPR apply just to data from people in the EU?
Because protecting privacy is important to IEEE and to ensure all relevant data is covered, we made the decision to work to apply the protections of GDPR to all personal data, regardless of the geographic source of that data.
What are the risks and consequences if IEEE does not comply with GDPR?
Not complying with GDPR brings both reputational and financial risk to IEEE. If we do not adequately protect personal data, individuals may be reluctant to engage with IEEE. In addition, the regulation does provide for significant financial penalties for non-compliance. EU regulators have the authority to levy a fine in an amount that is up to the GREATER of €20 million (well over $20 million US) or 4% of global annual turnover in the prior year.
How is IEEE collecting consent to use people’s data?
- To communicate with you about a meeting, conference, or event
- To administer products
- To process transactions
In order to efficiently collect acceptance data,, we have begun using a centralized Consent Management System. This tool can be integrated into websites and applications. For more details, see the information below on integrating the IEEE Consent Management System into your websites. This system will be our foundation to track and manage consent, subscriptions, and other points of user information. If you are working on an activity or event that has terms and conditions, you need to pass that information to the consent management system.
Is Consent the only way to lawfully process personal data under GDPR?
No, the GDPR specifies a number of allowable reasons for processing personal data, including contractual obligations and legitimate interests.
Contractual Obligations: It may be necessary to process some personal data to meet your contractual obligations with a member or customer. For example, when people order a digital product, you need their email address to deliver it.
Legitimate Interest: You may able to use personal data in ways people would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
When using legitimate interest as the reason for processing personal data, we need to document the reasoning behind that, prior to doing so. This documentation would include:
- Purpose test – is there a legitimate interest behind the processing or communication?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
The test for legitimate interest will be applied as appropriate by the GDPR Taskforce on behalf of the business to ensure that they are completed correctly and we have a record of their applicability. Individual business groups should contact IEEE’s DPO if they have any questions.
What rights does someone have under the GDPR?
Under GDPR, individuals may have certain rights to control their personal data. Key among these are:
- Right to be Forgotten/Erasure: Individuals may require IEEE to erase their personal information from databases.
- Right to Access/Data Portability: Individuals have the right to know what data we have on them and if asked, Data Controller must provide a copy of personal data in a commonly used and machine readable electronic format.
- Right to Rectification: Individuals have the right to correct or supplement incomplete or incorrect information.
- Right to Object: Individuals have the right to object to the processing or use of their data, including direct marketing.
If an individual wishes to avail themselves of these rights, they need to send an email to firstname.lastname@example.org with the phrase “GDPR Request” in the subject line.
This email will trigger a process that as been developed to roll this request out to all OUs to determine what information we have on that individual and how we can respond to their request.
All staff and volunteers managing personal data may then be required to search their data for the individual making the request, take the needed action (e.g., delete, make a copy, etc.), and report back the staff lead for Data Subject Requests in their OU.
How do I determine if I can send an email to a list of people?
Specific guidelines are being developed to help volunteers and staff to understand when it is appropriate to communicate with users based on interactions beyond consent. These will also include when not to include someone in generalized marketing outreach.
If I collect data offline or from a tool not connected to the consent management system, how do I get that consent into the Consent Management System?
Instructions for using the tool will be available on List Validator link on the GDPR Resource Page.
How do I handle data breaches?
A data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This could include a lost or stolen laptop that contains personal data, the accidental emailing of personal data to non-authorized users, and so on.
Under GDPR, IEEE has only 72 hours to notify EU authorities after discovering a data breach, so rapid action is important. If you suspect a data breach, immediately contact the IEEE IT Security Team at IT-Security@ieee.org.
What do I need to do for websites I manage?
Instructions for adding the cookie banner are available Cookie Collection link on the IEEE GDPR Resources Page.
Secondly, for websites that collect personal data, website managers should connect to the IEEE Consent Management System. instructions are available on the IEEE GDPR Resources Page.
Can Anonymization, Pseudo-anonymization, and Encryption help?
Yes, if correctly done. Anonymization, where it is no longer possible to identify specific individuals, takes that data out of the scope of GDPR. Nonetheless, if appropriate, data should be anonymized.
Pseudo-anonymization, where an individual can only be identified with additional information (such as a token or a look-up table) can be an important part of privacy by design and reduce the risk of leaking personal data. However, that data is still under the scope of GDPR.
Similarly, encryption, while not mandatory under GDPR, is another tool that we can use to protect personal data. This includes such practices as only transmitting personal data through secure methods. For example, using sFTP rather than FTP, encrypting laptops or portable storage devices that contain personal data, ensuring websites use “https” rather than “http,” and so on.
What is Do Not Track (DNT)?
When you browse the web on computers or mobile devices, you can send a request to websites not to collect or track your browsing data. It’s turned off by default. However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
There is currently no standard for how DNT consumer browser settings should work on commercial websites. If users enabled the DNT signal in their browser, their browsing history and other information should not be collected, but there are no legal or technological requirements for the use of DNT. Websites and advertisers may either honor or ignore DNT requests.
How do I get more information on GDPR and how IEEE is complying with it?
For further information, please visit the IEEE GDPR Resources page.
445 Hoes Lane
Piscataway, NJ 08854 USA
Glossary of Terms
Data Subject: A person who has data from the European Union (EU) or from Iceland, Norway, or Liechtenstein
Data Subject Request: A formal request by an individual from the EU to avail themselves of their rights under GDPR such as obtaining copies of their data, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller (another person or organization that controls the individual’s personal data).
Personal Data: Any information relating to an identified or identifiable person (known in GDPR terminology as a ‘data subject’)
GDPR: The European Union General Data Protection Regulation, a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
Date: 18 June 2018 Ver 1.0