Issue 40 – Detrack’s Commitment to You and the Protection of Your DataIqbal Ghani
We are committed to partnering Detrack’s customers and users to help them prepare for the General Data Protection Regulation (GDPR) which will be going into effect on May 25, 2018.
In this writeup, we will explain our methods and plans to achieve GDPR compliance, both for ourselves and our customers. The GDPR’s updated requirements are significant and our team has been working diligently to bring Detrack’s product offerings in line so that our customers and users can prepare themselves.
1. Our Commitment to Privacy & Security
Protecting our customers’ and users’ information and their privacy is extremely important to us. As such, we take extra care in our server infrastructure to ensure that our customers’ and users’ information is secured.
Detrack is a cloud computing software where all our cloud-based servers are housed in the United States, and our cloud service providers are Safe Harbor certified to provide a high level of assurance that meet EU standards for strong privacy protection and the proper handling of personal information. Under the GDPR regulations, data can be housed in cloud servers located outside the EU provided adequate measures and sufficient protection has been ensured for the privacy and security of the data.
Our internal processes are regularly monitored and evaluated by our qualified Data Protection Officers (DPOs). We also conduct regular internal tests to assess how we can further improve the security aspects of our system. Automated customized monitoring systems are in place to monitor the traffic, load and error logs of all our deployed servers and our engineers monitor the logs daily throughout the week, including weekends.
2. Your Right to Access & Data Portability
“Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.” https://www.eugdpr.org/key-changes.html, 2018.
First and foremost, all data from our users are never shared with third-party vendors unless absolutely necessary, and on a “need to know” basis, for the exclusive purpose of performing tasks that related to the operations and performance of the software. User data is used internally by staff with proper clearance level for the purpose of improving the system or to provide support to users.
Detrack, as a data processor is not required by the GDPR to provide a free copy of the personal data, in an electronic format to the subjects but we seek to provide the utmost support to our customers and users by providing this capability for free.
All our customers and users are able to directly export all delivery data from their account from our active databases into an Excel format. This can be executed from the dashboard itself. The request for the PDF format of the data files is also available. However, due to the inherent large size of PDF documents, should the PDF format be required, an email request from the account owner’s email can be submitted to email@example.com where our technical team will assist to extract the data which may take up to 14 working days or more to complete, depending on the size of the data files.
The ability to export data into a readable electronic format by Detrack also lends support to the data portability clause in the GDPR. The customer or user will be able to export all the data they have within Detrack into a readable electronic format where they can have the freedom to pass on the information as they desire to another controller.
3. Your Right to be Forgotten
“Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.” https://www.eugdpr.org/key-changes.html, 2018.
Detrack wishes to provide maximum assistance to our users who may be data controllers or simply owners, to be compliant with the GDPR. Hence, we have ensured that there are existing channels that can allow a user to make known to us their decision to be permanently erased from our active databases.
In Detrack, there is a subscribers’ mailing list used in conjunction with an emailing system for sending out notifications and newsletters out to all registered users of Detrack.
For our subscribers’ mailing list and emailing system, any request to be deleted from users sent through any of our available support channels will be handled accordingly (request needs to be sent from the main account holder’s registered email). We will delete the user from our database and not keep any unnecessary records of that deleted user.
Consent once given is not regarded as permanent, it can be withdrawn at any time. Every email sent out through our subscribers’ mailing system has a clear “Unsubscribe” option which will be honored when the user indicates the desire to unsubscribe from the mailing list.
4. Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. https://www.eugdpr.org/key-changes.html, 2018
Detrack has in our infrastructure design, put in safeguards to prevent possible systems breach. However, in the unfortunate event of a breach involving personal data, Detrack will pledge to notify our customers without undue delay after first becoming aware of a data breach that is likely to result in a risk for the rights and freedoms of individuals.
5. Data Protection Officers
Having Data protection officers who are qualified is part of the GDPR clause. In compliance, Detrack has appointed our own internal Data Protection Officers. All appointed Data Protection officers have undergone official training (with certification) conducted by trainers and consultants who are Certified Information Privacy Managers (CIPM), awarded by professional members of the International Association of Privacy Professionals. The CIPM is the world’s first and only certification in personal data protection programme management.
Our Data Protection Officers are well-versed in personal data protection principles and has practical knowledge of the roles and responsibilities involved in and when implementing personal data protection policies and initiatives.
We will continue to monitor the guidance around GDPR compliance from privacy related regulatory bodies and will adjust our plans and policies accordingly if it changes in a way that impacts Detrack’s dealing with our business clients.