GDPR is great for the rights of citizens; it incentivises good corporate citizenship and levels the playing field for businesses
At d2o, we wholeheartedly embrace the implementation and enforcement of the General Data Protection Regulation (GDPR).
As citizens, we highly value freedom and privacy. To this end, the GDPR is foundationally a great blessing as it will strengthen our individual rights in an ever-expanding digital world in which our fingerprints are captured and stored everywhere.
Think of the vast (and increasing) amount of data out there generated by our social media and internet browsing habits; the data generated by connected machines in the Internet of Things together with sophisticated new methods of analysing and crunching that information.
It is, therefore, reassuring that as individuals we have the right to know what personal data is held about us, what and how it is being used and that the information can be removed. Moreover, it is comforting to know that if those entrusted with our personal data violate these rights, they will face justice. As such, the GDPR incentivises good corporate citizenship.
For a SaaS provider, the GDPR provides a common set of privacy regulations, replacing what used to be more than 28 laws. In a real way, the GDPR contributes to levelling the playing field by substantially reducing inconsistencies and ambiguities, thus enabling businesses like ours – whose uncompromising commitment is to respect privacy rights, and gain and sustain life-long customers’ trust – expand across borders with less administrative burden.
The GDPR enters into force for all EU member states on May 25th, 2018.
So, what have we at d2o done and are doing to prepare ourselves and help our clients become GDPR compliant? You will find details on this question and more in the subsequent sections.
Our GDPR Commitments
d2o supports approximately 500 customers and 5000 end-users in more than 10 countries (and counting).
The agreement grants customers a license to access and use PMI delivered as SaaS. In providing this service, the customers entrust d2o with processing (non-sensitive) personal data which are submitted to and stored within the service by the end-users of the customers.
In general, as a SaaS provider, d2o is committed to providing features that enable and support customers to effectively live up to their rights and duties as defined in the GDPR, including rights of a data subject (art. 13 – 22).
In case the customers, in their use of PMI services, do not have the ability to address their GDPR duties, they can trust that whenever commercially reasonable and legally permitted, d2o will loyally provide assistance to address enquiries raised by the data subjects.
Equally important, we are committed to:
- Pursue technical and organisational good practices so that personal data is always processed in a manner that ensures appropriate security (art. 5 (1)(f);
- Be ready to demonstrate compliance and take accountability for GDPR related tasks and duties entrusted to us; and
- Live up to the spirit of the regulation w.r.t. the fact that nothing in DPA relieves us, as Processor, of our direct responsibilities and liabilities under the GDPR (art. 29).
PMI only allows non-sensitive personal data to be processed
In PMI, a customer can process the following non-sensitive personal data (which is necessary for the purposes of the legitimate interests (art. 6(1)(f) stated in the Main Service Agreement): First and last name, e-mail, job title and employee number, which are all encrypted when in motion and at rest.
The categories of data subjects are limited to PMI system end-user and employees.
With these commitments and the type of data in mind, below are the steps – organisational and technical measures – d2o has taken to become GDPR compliant. At the end of this orientation, a list of FAQ related to the GDPR is also included.
d2o’s GDPR Readiness (Organisational and Technical)
d2o’s GDPR compliance endeavour started in Q4 17. The Basic GDPR Readiness Project was completed May 15thwhile the GDPR Refinement Projectis scheduled to be completed by the middle of Q4 18.
Our GDPR approach and roadmap have largely been leveraging the guidelines, recommendations and resources (e.g. self-assessment, check list and templates) made available by The Norwegian Data Protection Authority (DPA) and Information Commissioner’s Office in the UK.
This effort has, from time to time, been supplemented with consultations with experts and legal advisors, whose specialisation is GDPR and Data Privacy Protection Laws, from among selected customers and third parties. The joint effort has been particularly important to achieve a robust Data Processing Agreement (DPA). More details can be found under section 4.
GDPR Organisational Readiness
The following main organisational changes have been completed as part of the Basic Readiness Project.
|Raise awareness and conduct 3 internal GDPR training sessions – each 45 min.Establish governance framework to sustain GDPR practice and nominate Data Protection Officer||d2o employees and contractors are familiar with the core principles, data subject rights and responsibilities of Processors pertaining to PMIBuy-in from leadership secured on governance framework and named DPO**although GDPR does not require this from Processor and processing is very unlikely to result in high risk|
|Delete redundant dataEstablish personal data maps and flowsConduct risk assessment centred around the data subjects||Reduced personal data scopeData processing document pertaining to PMI completedData maps for PMI completedList of prioritised to-dos, incl. software changes/enhancements|
|Revise and update procedures and plansRevise privacy and security policiesRevise product design procedure||Procedure on handling requests from data subjects updatedProcedure for incident, incl. personal data breach detection, notification and investigation updatedFeature design to include privacy and security considerations|
|Develop data processing agreements and review agreements with 3rdparties and Subprocessors||Data processing agreement to be offered customers completedReview of agreements with main 3rd party and Subprocessors completed|
GDPR Product Readiness
The GDPR provides data subjects with an array of privacy rights and enhanced transparency into and control over uses of their personal data.
Below is an overview of the PMI user guideline on features and procedures that customers can use to accommodate the rights of the data subjects as stipulated in the GDPR.
Under the GDPR, [null the authorised customer PMI user (Controller)] must be able to accommodate the following rights of a data subject within a month…
|Data subjects have the right to…||How|
|…know what is going to be donewith her/his personal data (art. 13)||Such request will be forwarded to the PMI super-user in the Controller’s organisation to address* * The nature and purpose defined under section 2 in d2o standard DPA|
|…acquire a copy of all the personal data being processed (art. 15).||For step-by-step user guideline, please click here (add link to wiki page)|
|…rectifyany incorrect personal data (art. 16).||For step-by-step user guideline, please click here|
|…erasepersonal data (art. 17).||For step-by-step user guideline, please click here (add link to wiki page)|
|…restrictprocessing of personal data (art. 18).||N/A|
|… personal data portability(art. 19).||For step-by-step user guideline, please click here (add link to wiki page)|
|…prevent processingof personal data (art. 21).||For step-by-step user guideline, please click here (add link to wiki page)|
|…prevent automated processingof personal data.||N/A|
In case a data subject contacts d2o (Processor) for the exercise of one or more rights concerned, d2o support will forward the requests to the appropriate PMI user at the customer’s organisation (Controller) in line with the Main Service Agreement (MSA) and Data Processing Agreement (DPA).
In case an authorised customer PMI user (Controller), in making use of PMI Services, does not have the ability to address a Data Subject request, a d2o authorised team member shall, upon request, provide commercially reasonable assistance to facilitate such request (of course, to the extent that d2o is legally permitted to do so).
GDPR Initiatives to be Completed in 2018
The following main organisational changes are planned to be completed as part of the GDPR Refinement Project by the middle of Q4 2018.
|Develop a feature that supports a printout or export of personal data of more than one user at a time (art. 15 and 19)||User with right authorisation can print personal data of selected users or all in one operation.Estimated delivery: End of Q2|
|Develop a feature that supports erasure where possible, else anonymisation of personal data of more than one user at a time (art. 15)||User with right authorisation can erase if possible, else anonymise, personal data of selected users or all in one operation.Estimated delivery: End of Q2|
|Conduct Data Protection Impact Assessment (DPIA)* related to PMI*although GDPR does not require this from Processor and processing is very unlikely to result in high risk||Gain insights on further improvement opportunities.Estimated delivery: End of Q3|
Key Considerations Underpinning d2o’s DPA
While the GDPR is comparatively descriptive, we recognise the market practice and the enforcement are still nascent with grey areas. It will naturally be in the Controller’s interest to mitigate the perceived risks as much as possible.
To this end, the d2o team have, in collaboration with GDPR subject matter experts and legal advisors, endeavoured to reach a SaaS Data Processing Agreement that adequately meets the GDPR requirements, balancing the following key considerations:
- DPA brings with it additional administrative burden(and risks) for both parties on top of an already in-force Main Service Agreement (MSA). As a SaaS provider, d2o cannot simply afford to spend resources on renegotiation with each customer. Therefore, we made every effort to offer a fair and robust, DPA in-line with the spirit and letter of the GDPR.
- d2o – as Processor – commits to comply with the obligations assigned to the Data Processor under the GDPR. This includes art. 28 in its entirety and Controller’s processing instructions;
- Controllers are expected to sign off on the appropriateness of technical organisational measures; hence, d2o is ready to provide commercially reasonable assistanceto facilitate audit requirements beyond the shared information on our GDPR dedicated web pages;
- Use of Subprocessors. Like many (if not most) of our customers, d2o uses global platform providers like Microsoft, Google, Salesforce and others whose DPAs are non-negotiable. Therefore, we are unable to achieve a back-to-back contractual coverage of all duties and risks that our customers propose. Although we are prepared to manage some residual duties and risks as Processor, we are forced to manage these extremely carefully and strictly to remain a viable and an efficient SaaS provider. Oftentimes (if not always), our customers use the same global platforms, and hence, have no objection in accepting our terms and conditions, especially considering the very low risk and low impact associated with the limited non-sensitive personal data PMI holds;
- Liability. Under the GDPR, Processors face additional duties and fine for noncompliance. Subjecting d2o to additional liability vis-à-vis customers will not only be financially unviable but will serve as an “insurance” at the expense of the Processor, and henceforth serving as a disincentive for a Controller to jointly and continuously improve breach prevention and readiness, which is a critical success factor as GDPR market practice and enforcement are still nascent with grey areas.
The General Data Protection Regulation (GDPR) is a new European privacy regulation which will replace the current EU Data Protection Directive (Directive 95/46/EC). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonise EU data protection law. A copy of GDPR can be obtained here.
To whom does the GDPR apply?
The GDPR applies to all organisations operating in the European Economic Area (EEA) and processing “personal identifiable data” of EEA residents. Personal data is any information relating to an identified or identifiable natural person (as opposed to non-human body/entity).
What personal data can a Controller hold about a data subject in PMI?
The personal dataprocessed are limited to: First and last name, e-mail, job title and employee number.
The categoriesof data subjects are limited to: PMI system end-user and employees.
Is d2o as Processor required to obtain consent for existing relationships?
No. Pursuant to the Main Service Agreement (MSA) between the customer and d2o, and the agreement the customer and end-user have entered into, there is already a relationship and, hence, there is a fair reason for the personal data to be held in PMI.
Does PMI hold sensitive personal data?
No, PMI does not hold any sensitive personal data as defined in art. 9 under the GDPR such as political affiliations, religious beliefs and race or ethnicity. Also, see 5.2.1 above.
What implications does the GDPR have for organisations processing the personal data of EEA citizens?
One of the key aspects of the GDPR is that it creates consistency across EEA member states on how personal data can be processed, used, and exchanged securely. Organisations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.
How does the GDPR apply to customers?
d2o customers who collect and store personal data are considered Data Controllers and are considered under the GDPR as of May 25th, 2018 (in Norway, the enforceable date is set to July 1st, 2018) to have the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law.
What is a Data Processing Agreement (DPA)?
d2o offers customers a balanced and robust Data Processing Agreement (DPA) governing the relationship between the customer (acting as a Controller) and d2o (acting as a Processor). The DPA facilitates d2o’s customers’ compliance with their obligations under EU data protection law.
A customer, acting as Controller, is in charge of the data; d2o, acting as a Processor, processes the data for the Controller. Controllers must only use processors that take measures to meet the requirements of the DPA. A Controller determines why and how to process personal data, while the processor performs operations on personal data on behalf of the Controller.
Under the GDPR, processors face additional duties and liability for noncompliance, or acting outside of instructions provided by the controller. Compliant processor duties include:
- Processing data only as instructed
- Using appropriate technical and organizational measures to process personal data
- Deleting or returning data to the controller
- Securing permission to engage other processors
Who are d2o’s Subprocessors?
d2o maintains an up-to-date list of the names and locations of all Subprocessors (incl. d2o affiliates and third parties) used for hosting or other processing of service data, which can be found here[add link to d2o’s Subprocessors]. The list includes the ability for our customers to sign up for notifications of changes. The list may also be obtained by contacting firstname.lastname@example.org.
What are the “Model Clauses”?
The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (Model Clauses) which provide a Controller a compliant mechanism to transfer personal data to a data processor outside the European Economic Area (EEA).
Currently, as both our data centres and customers are located within EEA, there is no need to deploy Model Clauses.
Additional GDPR Related Resources
- d2o Protects Personal Data
- d2o Security Policy
- d2o Data Retention and Deletion Policy
Third party resources:
- General Data Protection Regulation (GDPR)
- Hva betyr de nye personvernreglene for din virksomhet?
- United Kingdom Information Commissioner’s Office’s “Preparing for the GDPR
- The International Association of Privacy Professionals