Set to take effect on 25 May 2018, the General Data Protection Regulation (GDPR) overhauls and harmonizes the approach to data protection and privacy for all individuals within the European Union (EU). SEE Forge has a proud record of treating our customer data with utmost priority and we have our GDPR compliance program in place.
Below we’ve shared some information on what GDPR is, how it will affect you and how SEE Forge has prepared.
What is GDPR
The GDPR is the result of four years of work by the EU to bring data protection legislation in line with the ways that data is now used. It expands the rights of individuals to control how their personal information is collected and processed. GDPR places a range of new obligations on organizations to be more accountable for data protection.
Check out the ICO’s GDPR guide designed to assist organizations comply with their requirements:
Does GDPR Impact You?
GDPR applies to every company in the world that processes personal data about people in the EU. As a SEE Forge customer, the data pertaining to your registered users, as well as any personal data that you collect while conducting use of the system, is likely to be subject to GDPR.
Given that SEE Forge’s core app building functionality allows you to build your own apps asking whatever questions you wish, we do not have control of the content that you collect nor can we detect whether it is personal in nature. Accordingly, it is you as the Controller of data that is responsible for ensuring the data you collect while doing inspections is compliant with GDPR principles.
What is SEE Forge Doing?
We take our responsibilities under GDPR seriously and have embarked on a program to identify which measures we need to implement to be compliant with GDPR. We will have these implemented prior to 25 May 2018. Here is a quick summary of what we’ve done to date:
- We have engaged a law firm, and discussed with experts to advise on GDPR implications for SEE Forge. Following this assessment, we created an internal roadmap to work towards compliance with GDPR by 25 May 2018.
- We have investigated a new data hosting environment that is located within the EU (still with Microsoft Azure), so our Enterprise customers can choose to have their data hosted within the EU - even though this is not strictly a requirement of GDPR.
- We have started our internal education program to deliver GDPR-focused training across key areas of the business, so that our staff are aware of what GDPR requires and how it impacts their day-to-day roles.
- We have engaged with our product and security teams to consider and make necessary changes / improvements to our product and practices.
- We have conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services.
- We are reviewing our key third-party vendor arrangements (i.e. Sub-Processors) to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements.
- We have refined procedures to deal with some key data subject rights, like subject access requests and the right to request deletion.
- Developed a GDPR-compliant data retention policy.
- Updated our data breach procedures to bring them in line with GDPR.
- Developed and implemented company-wide data protection training.
Who is the data processor and who is the controller?
Under GDPR, our customers are considered the Controller of data and SEE Forge is considered the Processor. GDPR specifies requirements for Controllers in relation to the personal data they are responsible for including the requirement that when they user Data Processors that the processors provide sufficient guarantees that they will abide by GDPR and that the rights of the data subjects are protected.
Where does SEE Forge store customer data?
We host our customer and audit data with Microsoft Azure, who are a top-tier, third-party data-hosting provider. By default, every customer will have their data stored on the Microsoft Azure servers located in the U.S. For more information about Microsoft Azure's approach to compliance with the GDPR, see https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
Can customers choose to store their data in the EU?
If you are on an Enterprise client plan with +100 seats, you will have the additional option to have your data stored within the EU. While not strictly a requirement of GDPR, we have listened to our European customers and understand there is an appeal to store data in the EU.
Accordingly we have investigated a data-hosting environment with Microsoft Azure in Europe. Should you wish to speak to us about migrating your data from the U.S. to the EU, please contact your Account Manager or firstname.lastname@example.org
How does SEE Forge comply with EU data export restrictions?
In some instances, SEE Forge hosts or processes personal data outside of the European Economic Area - this is most likely with your user details rather than any app data. GDPR requires that this data remains protected by appropriate safeguards in line with EU law. SEE Forge achieves this by either entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).
Does SEE Forge provide fair processing notices?
How does SEE Forge comply with the Data Minimization principle?
Under GDPR, any data collected must be relevant and limited to what is necessary for the purpose for which it is being processed. If you plan to collect any personal data when conducting use of your apps, then we suggest that you only collect necessary information. To help you identify and minimize the data protection risks in a Template, the ICO has provided guidance on Data Protection Impact Assessments (DPIA)
Under GDPR, any data collected must be relevant and limited to what is necessary for the purpose for which it is being processed. If you plan to collect any personal data when conducting use of your apps, then we suggest that you only collect necessary information. To help you identify and minimize the data protection risks in a Template, the ICO has provided guidance on Data Protection Impact Assessments (DPIA):
How to handle Subject Access Requests?
Data subjects may lodge requests with you as data Controller, to extract all data relating to the data subject. Should you receive such a request and require our assistance in dealing with it, please send a detailed email to email@example.com and we will endeavor to act on the request within 30 days.
How does SEE Forge respond to a data breach?
In the unlikely event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, SEE Forge has an established Data Breach Response Plan. To obtain a copy of this policy, please contact your Account Manager or firstname.lastname@example.org
Who at SEE Forge is primarily responsible for personal data matters?
While SEE Forge is not required to have a Data Protection Officer, day-to-day data privacy matters are first handled by the support team who can be contacted via email@example.com
What changes have been made to the SEE Forge Terms and Conditions of Use / SEE Forge Agreement?
Below is a summary of changes to the SEE Forge Terms and Conditions of Use that will be effective from 25 May 2018
A new clause shall be inserted as follows:
In this Section and in the Appendix (Data Processing Agreement):
"Data Protection Laws means the EU Data Protection Laws and the laws of other states and territories that create and regulate substantially similar concepts and legal principles as are contained in the EU Data Protection Laws in relation to the processing of personal data and sensitive personal data.
EU Data Protection Laws means, up to and including 24 May 2018, any legislation in force from time-to-time which implements the EU Directive 95/46/EC and relevant national implementations of the same and, with effect on and from 25 May 2018, means the EU General Data Protection Regulation 2016/679 ("GDPR") and any relevant national implementations of the same;
personal data, sensitive personal data, consent, controller, processor, data subject and processing mean those concepts, roles and activities as defined in the applicable EU Data Protection Laws and on and from 25 May 2018 sensitive personal data means those classes of personal data that are described in Article 9 of the European General Data Protection Regulation 2016/679) or, where relevant, equivalent concepts, roles and activities as described in other Data Protection Laws.
We are the controller in respect of personal data and sensitive personal data, such as account registration details, that we collect directly from users of the Services (End Users) and users of No-Charge Services, and which we use for the purposes of our business.
You are the controller and we are the processor in respect of any other personal data and sensitive personal data (including within Your Modifications) that is uploaded by End Users and/or users of No-Charge Services including data, templates, information, content, code, video, images or other material of any type (Materials), or which is provided by your administrators (see Section 10 below).
On and from 25 May 2018, to the extent that the Services and/or Non-Charge Services comprise the processing of personal data or sensitive personal data where we are the processor and you are the controller and the processing of personal data or sensitive personal data is subject to the GDPR:
you will comply with the requirements of the GDPR as the same apply to you as controller of the personal data or sensitive personal data, including the obligations set out in Section below; and
the provisions of the Appendix (Data Processing Agreement) to these Terms shall apply."
In clause the following shall be inserted at the start of the third bullet point:
"subject to Section above and the Appendix to this Agreement,"
The following shall be inserted at the end of clause
There is a lawful basis for the collection and processing of personal data and/or sensitive personal data; and
The following shall be inserted as a new Appendix to the terms and conditions:
"Appendix (Data Processing Agreement)
The provisions of this Appendix (Data Processing Agreement) form part of the Agreement to the extent that Section 6 of the Agreement applies.
SEE Forge shall:
process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or the national law of an EU member state to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
implement appropriate organizational and technical measures as required pursuant to Article 32 (security of processing) of the EU General Data Protection Regulation 2016/679. The measures that we consider appropriate are more fully described in SEE Forge's Architecture and Security document (a copy of which is available on request). This document outlines:
Our architecture and infrastructure through which Services and No-Charge Services are provided;
security controls employed by us and our service providers in protecting personal and/or sensitive personal data; and
security controls employed by our support channels which handle personal data or sensitive personal data.
respect the conditions for engaging another processor referred to in paragraphs 2 and 4 of Article 28 (processor) of the EU General Data Protection Regulation 2016/679;
taking into account the nature of the processing, assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the EU General Data Protection Regulation 2016/679;
assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the EU General Data Protection Regulation 2016/679 taking into account the nature of the processing and the information available to the processor;
at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless EU law or the national law of an EU member state to which the processor is subject requires storage of the personal data;
make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 (processor) of the EU General Data Protection Regulation 2016/679 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (in each case at the controller's cost)."
We host our customer and audit data with Microsoft Azure, who are a top-tier, third-party data hosting provider. By default, every customer will have their data stored on the Azure servers located in the U.S. For more information about Azure's approach to compliance with the GDPR, see https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
If you are on an Enterprise client plan with +100 seats, you will have the additional option to have your data stored upon requirements.
Push/Pull data from any system via our Powerful FAT FINGER REST API.