The new GDPR
Companies and organisations are all too busy with it, the General Data Protection Regulation (GDPR) that will come into force on the 25th May. This blog describes how EventInsight mapped out the steps it needed to take to become GDPR compliant. In summary? Actually, it wasn't that bad and our working methods remain almost identical, only that it has just become a little tighter, which has improved the guarantees in regard to privacy. I therefore think that GDPR is a good addition to data security. Even I myself don't always have the patience to read everything extensively, therefore I have made a short summary for faster readers (click here) where the core of this blog is clearer.
Inventory and basis
First of all, we looked at what personal data we all use. We define a distinction between the users of our app and the app's customers. In order to be able to store personal data, you need a basis. We are allowed to store some of the data, as this is a prerequisite for the execution of the agreement. This is, for example, the e-mail address. Without an e-mail address, we will not be able to reset your account. We are not allowed to store any other part of the data just like that, so for this we therefore ask for explicit permission.
Our business model is to improve events through our app and we have no commercial interest in the data.
Before creating an account, the user must know how long the data will be stored for. With EventInsight, this is a bit tricky as it depends on the wishes of the customer. In order to meet GDPR requirements, we eventually decided to save it for a maximum of three months after the end of the event. The customer can always limit this period themselves.
An important aspect of GDPR is the security of personal data. EventInsight uses Privacy by Design, and Privacy by Default. The idea behind this is that we take the privacy and processing of the data into account as standard when setting up and designing the product. This ensures that we both consciously and unconsciously can guarantee the privacy of our users. For example, we have taken the following measures: - All data will always be stored in separate databases. In the unlikely event there is a leak from a customer, the other customer's and user's data are still secure. - All traffic to and between our server is encrypted via SSL. This makes it impossible for unwanted third parties to view the data. - There is limited root access to our servers. At EventInsight only two people have authorization. - If our support staff need to be given access to our customer's environment, permission will be given for a 24 period each time. This access is logged so that you can see exactly who accessed it afterwards. If an employee leaves the company, he or she is automatically disqualified as access is always within 24 hours. - Only support staff and the two other authorized personnel for root access are able to access customer data. Partnership advisers, data entry employees, and administration have zero access. - All of our staff have signed a confidentiality agreement concerning the confidentiality of the data they see. - Several automatic control mechanisms have been implemented. Should there be any deviating or unexpected activities on our server, this will be shown on our warning screens in the office.
Third party processing
EventInsight store the data of its customers and buyers in the Netherlands. To be precise, at TransIP in North Holland. According to the Dutch Data Protection Authority, it is necessary to conclude processing agreements with other parties where data is stored. Although TransIP itself does not have root access to our servers (and therefore cannot access our data), we have concluded a processor agreement with them just to be sure. This means you can be sure that our data will be processed in the correct manner. The data is always under our own management and there are no other processors.
Data leak policy
Since 2016, reporting data leaks is obligatory. What is new with GDPR is that we must register every data leak internally, including those that do not have to be reported, and along with an improvement plan to ensure it does not happen again. This registration must be available for inspection by the supervisory authority upon request. EventInsight has drawn up a register for this purpose and assumes that it will always remain empty.
Conversion to a privacy statement
Everything mentioned above has been converted into a privacy statement. This is shown in the AppStore & Google Play store, so that every user is aware of what permissions they are giving. Depending on the customer's choice, the privacy statement is again explicitly shown when logging into our application. The customer can therefore choose how users agree to the privacy statement. We understand that long statements don't get read and have therefore the essence of this statement is highlighted in bold. This saves a lot of time and provides the clarity sought.
What does this mean for you when you let us create an event app?
For you, the new GDPR means that you sign a processor agreement with us when setting up a new application. We already have this ready for you so you don't have to set it up yourself. We are happy to explain to you what the provisions contain.
Together with Slim Juridisch Advies, we have completed a checklist to add the finishing touches:
- We have supplemented the privacy statement with the new provisions to comply with GDPR.
- We have provided an e-mail address and created a procedure whereby users/customers can submit a request for inspection.
- Our staff has signed a confidentiality agreement concerning the confidentiality of the information they see.
- We have checked the foundations of the data we request.
- We have verified that our services are designed to be privacy friendly.
- We have established a register of processing activities.
- We have drawn up a processing agreement with the necessary parties.
Was this all?
This is all that our users and customers have to deal with. However, the new GDPR also applies to our staff and that also means that we have had to change things internally to remain compliant. For example, we have also concluded a processor agreement with our administration office. But this blog is already long enough now, so we will save you from the internal measures we have taken. We are of course though happy to explain them to you at our office with a cup of coffee!