The General Data Protection Regulation (GDPR) is approaching (just a few days to go!) and sets the bar high in regards to protecting the integrity of individual data in the EU. Shortlist has been preparing for months to ensure our business is compliant. We’ve written this post to give our customers an overview of what we’ve done to ensure compliance with the GDPR.
The General Data Protection Regulation (GDPR) is the new legal regulation for personal data, applying to all organisations operating within the EU (as well as non-EU organisations with customers who are individuals in the EU zone). The definition of personal data under GDPR has been boiled down into “any information relating to an identified or identifiable person”. The purpose of GDPR is to ensure consistency of data protection laws across all member countries of the EU. The law comes into effect on May 25th, 2018.
GDPR applies to both data controllers and data processors. The data controller is the party who determines the purposes and the manner in which personal data is processed. While the data processor is a third-party processing personal data on behalf of the controller.
What does this mean?
This means that Shortlist is both a data controller and a data processor. We are a data controller in the sense that we are storing personal data such as your email address and billing address, etc. Providing services to our customers and their end users, storing and transferring personal data, means we also act as a data processor.
What is Shortlist doing?
There must also exist a Data Processing Agreement (DPA) between the data controller and the data processor, in the cases the data controller is affected by GDPR. The data controller is affected by the GDPR, if it is a controller of personal data of end-users in the European Union. The DPA lays out the foundation of the obligations of the data processing. Customers may request a DPA by emailing firstname.lastname@example.org.
Our GDPR Roadmap
During our GDPR preparation we’ve tackled the following changes:
Data Supply Chain
Reviewed our entire data supply chain to ensure what changes were required for GDPR compliance. We also wanted to ensure we knew what data was where and for whom.
Educated (and continuing to educate) employees on changes related to GDPR and other data handling practices. Our objective is to ensure all employees understand our security standards and commitment to privacy for our customers.
We’ve updated our Customer Success processes to ensure that any requests for data review or removal, by end users, is able to be accomplished in a timely manner.
We’ve reviewed and revised our Terms of Service and Privacy Policies to be inline with all GDPR requirements. Our objective was to make them easy to read & understand and to make it clear how data was being used. We also made it clear how you could submit a request for reviewing your data and/or requesting for your data to be deleted.
Data Processing Addendum
We’ve reviewed our customer agreements and put in place a data processing addendum which helps customers understand our commitment to processing data in a GDPR complaint manner. Customers can reach out to email@example.com to request a DPA.
We’ve reviewed all third-parties that Shortlist leverages to ensure that they are GDPR compliant and that we can continue to legally transfer data to these vendors and allow them to legally receive and process this data.
Shortlist is committed to continuously reviewing all processes, procedures and other factors in place to ensure the data that is provided to us. If you have any questions in regards to GDPR and how it affects your use of Shortlist, please feel free to reach out to our Customer Success team at firstname.lastname@example.org or send GDPR queries to email@example.com.
Please note that this post is for informational purposes only, and should not be considered legal advice.