On May 25 2018, in less than six months time, a new landmark data privacy policy will be enforced by the European Union. The EU General Data Protection Regulation (GDPR) is aimed at strengthening the security and protection of personal data of EU residents.
As a result, Deskpro is working ahead of time to maintain and improve the privacy and security of our product for you. Proactivity at this stage means Deskpro will be ready and compliant well before the May 25 2018 deadline, making it easier for you and your organization to achieve GDPR compliance - without the headache.
The new comprehensive data protection law applies to any company based in the EU, or selling/marketing in the EU. It will replace the current patchwork of national data protection laws with a single set of rules, enforceable in each EU member state.
What we're doing about GDPR
This is a high-level overview of the GDPR Compliance Roadmap for Deskpro
- Appoint a Data Protection Officer - DONE
- Thoroughly research the areas of our product and business impacted by GDPR - DONE
- Rewrite our Privacy Policy - DONE
- Perform the necessary changes to our product based on requirements - DONE
- Implement required changes to internal processes and procedures to achieve and maintain GDPR compliance - DONE
- Thoroughly test all changes to verify and validate GDPR compliance - DONE
- Communicate Deskpro GDPR compliance - DONE
What’s going to change?
Whilst the list of changes as a result of GDPR is extensive, the main differences between the current EU data privacy policy and GDPR include:
Increased Territorial Scope - GDPR extends jurisdiction to all companies processing personal data of Data Subjects residing in the EU.
Penalties
Companies can be fined of up to 4% of annual global turnover or €20million (whichever is greater) for serious breaches. Companies without their ‘records in order’ (article 28) can be fined 2% of annual global turnover.
Consent
Companies are no longer able to use long, illegible T&Cs for an individual to request personal information - the process to understand and request information must be made easy.
Breach Notification
Companies must alert customers of any data breach within 72 hours. Data Processors would have to notify Data Controllers, “without undue delay.”
Right to Access
Data Subjects can obtain from Data Controllers, what, why, and how their data is being processed, and for what purpose. The Data Controller must be able to provide a digital copy of personal data, free of charge.
Right to be Forgotten
Data Subjects are entitled to have their personal data erased (article 17). Data either no longer relevant or Data Subjects withdrawing consent.
Data Portability
Data Subjects have the right to receive the personal data stored about them in a common format.
Privacy by Design
Inclusion of data protection should be considered from the onset of the designing of systems (article 23). Data Controllers should hold and process only data that’s absolutely necessary.
Data Protection Officers
Due to internal record keeping requirements, Data Protection Officers are mandatory for large scale data processing, or specific data referring to special categories such as criminal convictions and offences.
Our pledge to you
GDPR for your company doesn’t just cover Deskpro, it covers all of the software applications that you use to store personal data about a Data Subject. Which is why we are committed to helping you to reach compliance. Every company that uses Deskpro, including ourselves, will be held accountable to the GDPR.
Amongst the changes to become compliant with GDPR, Deskpro will specifically provide GDPR support by:
Updating our Data Processing Agreements between Deskpro and you, our customer, to reflect GDPR requirements and ensure data transfer involving storage outside the EU is fully compliant.
Providing timely product updates that ensure you have the capability to be compliant when Data Subjects request data to be deleted or removed.
How does GDPR affect Deskpro customers across Cloud and On-Premise deployments?
If you use Deskpro On-Premise, your organization is the Data Controller. If you host on your own servers, you are also the Data Processor. If you use a hosting solution, like Amazon Web Services, then they are the Data Processor.
If you use Deskpro Cloud, then you are just the Data Controller - and we are the Data Processor.
And of course, as a Deskpro customer, you and your organization also qualify as a Data Subject, with Deskpro as the Data Controller, and our third-party hosting provider as the Data Processor.
What to expect in 2018
Whilst aligning your business to honour the GDPR may seem like a mammoth task, compliance is absolutely necessary to smooth sailing and success once it is implemented.
We will keep you updated over the coming months about changes to the Deskpro product, as well as any legal changes, so that compliance with GDPR is as painless as possible.
If you have any questions about GDPR, please reach out to support@deskpro.com or check out the official GDPR website. https://www.eugdpr.org/, or to view the document in full here https://gdpr-info.eu/
Glossary of terms
Data Subject
An individual who is the subject of personal data.
Data Controllers
Organizations that supply or market goods or services to EU residents. They can also be companies that track or monitor EU residents, deciding how their data is collected and processed.
As a customer of Deskpro, you are likely considered a Data Controller under the new GDPR. One of your requirements as a Data Controller is to only work with compliant Data Processors.
Data Processor
Organizations that process data on behalf of Data Controllers.
As a cloud helpdesk software platform, Deskpro is considered as a Data Processor. However, if you are using an On-Premise deployment of Deskpro, the Data Processor would refer to either your organization or a hosting company.
UPDATED: 18/5/18
Nuevo comentario
Por favor, ingresa o regístrate para enviar un comentario.