Over the past year, GoFormz has been preparing for the European Union’s General Data Protection Regulation (GDPR) which became effective on Friday May 25, 2018. As you probably already know, the GDPR is designed to provide more rights and protections to Data Subjects residing in the European Economic Area (EEA) and places requirements on data processing organizations in regard to how they obtain, store, and access personal information.
GoFormz understands how critical it is to protect your privacy and maintain your trust as a customer. This is why we develop our service with data protection in mind. In addition to delivering a robust data transformation system, we also want to ensure that your information is kept safe and sound. We only gather a small amount of personal data when you first set up your account and we do not plan to change this practice in the future. And we promise to provide the same high levels of data security for the valuable information you store and process on our service.
Below is an overview of how GDPR impacts the data and privacy landscape, as well as how we are prepared to meet the compliance goals as outlined in the GDPR. You are always welcome to contact us with any questions or concerns.
What is the GDPR?
The GDPR is an EU-wide privacy and data protection law that outlines the rights of a given person (the “Data Subject”), while also requiring companies and services that store and process personal data to meet certain reasonable and basic standards. Although we are a US California-based company, we have customers based in EU countries that we are entrusted to protect.
What is considered personal data?
The EU took a broad approach to this definition and decided that any piece or pieces of information that can uniquely identify a natural person should fall under this protection. For what GoFormz gathers from customers, this would include a person’s name, email address, phone number, and company information. However, many more things can be considered personal data, including a birthdate, driver’s license number, or even the IP address of your computer.
The GDPR also spells out a class of special personal data and requires that data processing organizations consider the higher risk of exposure and provide commensurate security controls. Among these special data categories would be gender and sexual orientation, political or religious affiliation, trade union membership, as well as genetic or biometric health data.
Data Processor or Data Controller?
For the information gathered from users when setting up a GoFormz account, GoFormz takes on the role of Data Controller. In this case, GoFormz determines the purposes and means of how provided personal data is processed.
For the information that customers upload and store on our platform, GoFormz will assume the role of Data Processor. When serving this function, GoFormz processes personal data on behalf of a Data Controller, our customer.
What are the Data Subject Rights?
The EU grants several rights to a person regarding their private and sensitive information. Under GDPR, an identifiable person (or “Data Subject”) can exercise the following rights:
- Request access to their data
- Request errors in personal data be corrected
- Request their data be permanently destroyed (known as “The Right to be Forgotten”)
- Request a copy of their data
- Object to or otherwise restrict processing and profiling of their data
- The person should contact the Data Controller to submit a request of this nature. Companies must respond to these requests within 30 days.
What has GoFormz done to prepare for GDPR?
In order to be prepared for, as well as demonstrate compliance with, the GDPR, GoFormz has undertaken several efforts. A few key preparations include:
- Performed an inventory and accounting for what types of data we are storing, identifying where and how we store data, as well as documenting the encryption and other mechanisms used to protect data.
- Appointed a Data Protection Officer (DPO) and under their direction developed a concrete plan to attain and satisfy compliance requirements.
- Conducted data privacy awareness training for all GoFormz employees and engender a culture focused on protecting our customers and their business-critical information.
- Assessment of third-party partners and services that we rely on to provide our service in order to determine that they are pursuing the same protection standards.
- Enhancements for system logging and monitoring in regard to overall performance, as well as access control and incident detection.
- Prioritized security first in our development efforts by integrating quality assurance and programming teams, encouraging cross-training of team members to achieve better product testing and weave security into all of our technology processes.
- Developed additional policies and procedures regarding data handling, storage, retention, destruction, and overall organizational behavior.
GoFormz continues to drive forward on the journey to protecting our customers and their valuable data. We are working with our users to continue improving our products and meet their needs. We want to demonstrate our proper management of risk and compliance and plan to keep making improvements at every turn. We plan to be your trusted data platform on this road and all future paths!
Please email us at firstname.lastname@example.org if you’d like more information or have questions.