In 2012, the European Commission began a process to reform Europe’s existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. General Data Protection Regulation (GDPR) was adopted in 2016 and will take effect on 25 May 2018.
The GDPR is a wide-ranging regulation designed to protect the privacy of individuals in the European Union (EU) and give them control over how their personal data is processed, including how it’s collected, stored and used. It affects every company in the world that processes personal data about people in the EU.
Summary of the changes include:
● Improved clarity and transparency with redefined terms to clearly described the data we collect and use and explain rights to your data
● A review of key third party vendor arrangements to ensure that the services we rely on to operate are also preparing to be GDPR compliance by the deadline
Information for Businesses
Businesses who use INTERACT to engage with their audiences can continue to use INTERACT in the same way that they do today. INTERACT is taking steps to ensure the products and services we provide comply with GDPR and remain compliant and that our solutions can be configured in accordance with your policies and GDPR compliance.
It is a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
What is INTERACT doing about GDPR?
● Rolling out training and education to deliver GDPR-focused training across key areas of our business to ensure all staff are aware of GDPR requirements and how it impacts their day to day activities
● Conducting a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services
● Conducting third party supplier assessments to ensure that we satisfy GDPR requirements
● Implementing necessary changes and improvements to our platform
● Refining internal procedures to deal with some key data subject rights, like subject access requests and the right to request deletion
● Updating features eg launch of User Profiles so that end users can correct and modify their information, update preferences including the ability to restrict processing and request deletion
● INTERACT strives for continual improvement and this includes becoming independently certified against an EU approved framework
● Fully integrating privacy by design into system and product development.
Where does INTERACT store data?
INTERACT uses Amazon Web Services,a top-tier, third-party data hosting provider with servers located in the Australia and the United States to host online and mobile services.For more information about AWS’s approach to compliance with the GDPR, click here.
Will INTERACT store EU customer data in the EU?
INTERACT has no short term plans to store data in the EU, and this is not required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.
INTERACT makes sure that it complies with EU data export restrictions when it exports data outside of the EU, an audit is currently being conducted with regards to thee data export mechanisms in place to ensure they comply, and will continue to comply, with GDPR.
How does INTERACT comply with EU data export restriction?
When personal data is hosted or processed outside of the European Economic Area by INTERACT, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that INTERACT achieves this.
When we process EU customer data in other territories, like Australia and the United States of America, we ensure “appropriate safeguards” are in place that are prescribed by GDPR – i.e. by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).
Why hasn’t INTERACT signed up to Privacy Shield?
INTERACT is an Australian headquartered company. The EU- US Privacy Shield is a mechanism for the EU and US to comply with data protection requirements when transferring personal data from the EU to the US.
Instead we rely on a combination of measures to ensure compliance with EU data export rules, including compliance to and use of “Model Clauses” (i.e. prescribed best practice statements) in our Software licence agreements.
What security measures do you have in place to protect data?
Protecting our customers’ data is fundamental to everything we do and we have comprehensive security and privacy safeguards for all that we do. If you would like more information on our security practices please email firstname.lastname@example.org
INTERACT as Data Controller or Data Processor?
As the licensed provider, administrator of the contacts within your tenancy and publisher of content on the platform you are the data controller – you decide the “purposes” and “means” of any processing of personal data contained within your tenancy.
Similar to what’s already in place for data protection law today, data controllers will have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure that people have a right to access the data held about them.
INTERACT is the data processor for it’s licensed providers.
As the data processor, INTERACT processes personal data on behalf of our licensed providers. Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure that data is processed safely and legally. INTERACT has included these contractual commitments in our standard software licence agreement.
INTERACT is the Data Controller of user profile information as well as for all Data that is stored, collected or processed within an INTERACT tenancy.
An end-user can identify who the licensed provider or data controller is by opening the individual settings from either the connections or events list.
How do I find out more about GDPR?
Useful information on GDPR is available from:
The UK Information Commissioner’s Office (ICO) – 12 steps to prepare for GDPR.
The Federation of Small Business (FSB) – How to prepare for GDPR.