GDPR
The General Data Protection Regulation (“GDPR”) is designed to protect personal data of those dealing with countries in the European Union (“EU”). GDPR finds its roots in Article 8(1) of the Charter of Fundamental Rights of the European Union, which echoes Article 12 of the Universal Declaration on Human Rights adopted by the UN General Assembly in 1948, and Article 16(1) of the Treaty on the Functioning of the European Union, pursuant to which “everyone has the right to protection of personal data concerning him or her.”
In simple words, GDPR provides protection of the personal data of EU citizens and increases the obligations on organisations who collect or process personal data.
Within the meaning of GDPR “Personal data” means any information relating to an identified or identifiable natural person (“data subject”).
GDPR is applicable to residents of the EU as well as customers of the EU. For example, Vendasta needs to comply with GDPR if:
- our clients, partners, subscribers, prospects, etc. are EU residents
- our partners, dealing with its customers in the EU, also need to comply with GDPR.
Why GDPR
GDPR is important because it improves the protection of European data subjects’ privacy and rights and clarifies what companies that process personal data must do to safeguard both. It is more detailed and precise in certain areas and takes into account the challenges in the rapidly evolving digital world, giving rise to privacy risks for data subjects. GDPR is demanding due to its detailed transparency requirements.
GDPR grants EU residents greater control over their personal data and gives national regulators new powers to impose significant fines on organizations that breach this law – fines up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding year (whichever is higher) and this doesn’t include the reputational loss, legal sanctions, compensation for data subjects and more.
GDPR program @ Vendasta
At Vendasta, we welcome the GDPR as an opportunity to strengthen our commitment to privacy and data security for all data, not just EU personal data. We are working diligently to ensure that all our products, services and contracts comply with the GDPR to help our partners’ and their customers’ compliance with GDPR and also to well position them with other data protection regulations worldwide.
We have expertise in privacy and protection of data. Our team comprises members from compliance, legal, security and infrastructure architecture. We believe in privacy and data protection by design and we are applying these principles for new products and services.
GDPR principles
To provide privacy and data protection compliant platform for all our partners and customers, our dedicated compliance efforts are in progress to incorporate these GDPR principles :
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Lawful basis for processing
The lawful bases for processing are set out in Article 6 of the GDPR, which requires companies to provide a legal reason for processing personal data.
We have updated our Terms of Service, Terms of use, DPA with a third party and other relevant policies like privacy policy and cookie policy to reflect GDPR standards and to inform both our website and subscription users of the way we are collecting, processing, storing and sharing their personal data with third parties, if needed.
We have also provided links to information for our customers to learn more about how they can control their options. Their consent is utmost important to Vendasta and we are leaving no stone unturned to make sure their choices and decisions are honoured.
We are working to provide automation around affirmative opt-ins and opt-out for our users to manage their consent and for us to better track/audit consent. In addition to the unsubscribe link in each marketing email that we provide to our subscribed users, we also have this available as an option from user profile/account settings.
GDPR roadmap
We have our GDPR roadmap in place and have a dedicated privacy officer for the GRC program at Vendasta.
The ‘human factor’ is often the weakest link in data security. GDPR and compliance require continuous learning and reinforcement. Continuous learning helps people to apply what they have learned in practice, contributing to data safety culture in the workplace. When employees are not fully aware of the risks, they can easily make costly mistakes.
While we are progressing through the different phases of the roadmap, we are continuously providing training to our employees to make sure they understand the importance of security and data compliance, security expectations, standards and our practices to comply with GDPR and we are also, providing training content available to our partners via LMS platform to help them understand GDPR compliance.
Security
GDPR requires encryption, pseudonymization and/or anonymization to protect personal data. At Vendasta, we take the security of data seriously and it is a priority. We have industry encryption standards in place for data at rest and we are fully committed to providing features that enable easier compliance with the GDPR, with that in mind we’ve made several improvements in our systems for authentication, authorization, and auditing to safeguard our data.
Our Websites and Services take appropriate precautions to protect Personal Data. User account information is located on a secured server protected by identity and access management checks. All of our Services are served using Transport Layer Security (TLS) to protect data in transit, and all passwords are one-way hashed prior to storage to prevent discovery in the event of a data breach.
Our data resides at Google Cloud Platform and we are also using few other service providers like Zendesk to process personal data on our behalf, we ensure that an appropriate contract is in place that ensures that they are obligated to apply GDPR’s data processing standards
Vulnerability Disclosure Program
Vendasta is committed to continuously improving the security of our platform and protecting the privacy of our users. As a part of this effort, we run a vulnerability disclosure program (VDP) through HackerOne (since July 2020). The goal of this program is to provide security researchers with an opportunity to test our platform’s security, responsibly disclose vulnerabilities and then get recognition for their efforts.
Data Subject Rights (DSR)
GDPR grants data subjects a range of specific data subject rights they can exercise, with exceptions. Data subject requests are not new, but GDPR introduced some changes to further protect their rights. GDPR compliance among others means enabling the exercise of these rights.
At Vendasta, we understand how important privacy rights are and we have every intention to honour them. We already have DSR requests handling procedures in place and a team responding to DSR requests.
Users can exercise some rights themselves from their profile/account settings but at this point, most of the workflows around catering these requests are done by the teams. We have already started working on automating these workflows to make it easy for data subjects.
Personal Data Breach Handling
The definition of a personal data breach is any incident of security, lack of controls, system or human failure, error or issue that leads to, or results in, the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Vendasta is committed to the obligations in accordance with the GDPR and to maintain a robust and structured program for compliance adherence and monitoring to ensure that the correct procedures, controls and measures are in a place where necessary. However, breaches can still occur, we already have PD breach handling procedures in place that state our intent and objectives for dealing with any data breaches involving personal information.
We have adequate procedures and controls in place for identifying, investigating, reporting and recording any data breaches. We have the Personal Data Breach Incident Form to use for all personal data breaches and perform a post-mortem, regardless of severity so that any patterns in causes can be identified and corrected. We are very well aware of our obligation to notify Supervisory Authority and to affected data subjects of the data breach (where applicable) with immediate effect and at the latest, within 72 hours after having become aware of the breach.
If you have any questions about this GDPR program contact us at privacy@vendasta.com
Disclaimer: This document contains legal information but is not legal advice. For any legal advice or your interpretation of this document, consult a legal advisor or an attorney, The purpose of this document is to make you aware of Vendasta’s intention and work in progress to comply with GDPR.