The GDPR changes way organisations collect data, as well as how they obtain, document, and manage the legal basis for processing.
As of May 1st 2018, Teamgo Pty Limited has implemented key features and processes to become fully GDPR compliant for our EU customers. We have also made these implementations available to customers globally so they can benefit from our commitment to data management of individuals information.
What is GDPR with Teamgo?
The GDPR becomes enforceable as law in all EU member states on the May 25th, 2018. This replaces the separate member state implementations of data protection law, streamlining compliance by providing a single set of principles to follow.
The new regulation's scope encompasses all organisations that process the personal data of EU residents or monitors individual's behaviours conducted within the EU, regardless of the entity's physical location.
The terms processing and personal data are defined: processing involves "any operation or set of operations which is performed on personal data" and personal data means "any information relating to an identified or identifiable natural person ('data subject')." The GDPR outlines requirements for Controllers (entities who determine the purposes and means of the processing of personal data) and Processors (entities who process personal data as directed by a Controller).
Data Protection by Design and Default
Controllers and Processors must incorporate data protection into new products and services that involve processing of personal data (Design) and consider data protection issues in all business decisions (Default).
Lawfulness of Processing
Processing must be based on consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects.
Conditions for Consent
Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action. Security of Processing Controllers and Processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Data Subject Rights & Information
Controllers shall provide the information outlined in Articles 13 & 14 to Data Subjects and Data Subjects may access, correct, delete, restrict processing of, and transfer their personal data, as well as object to automated decision-making based on their personal data.
Controllers and Processors must create centralised repositories containing records of processing activities carried out on personal data.
Data Protection Impact Assessments
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, prior to processing Controllers must carry out assessments of the impact of the envisaged processing operations on the protection of personal data.
Data Protection Officer
Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or large scale processing of special categories of data must appoint a Data Protection Officer.
Controller and Processor relationships must be governed by binding contracts that set the terms of the processing to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors.
Data Breach Reporting
In the event of a breach involving personal data, the Controller shall, where feasible, notify the relevant Supervisory Authority within 72 hours after becoming aware of it and, if there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects without undue delay.
Helpful GDPR Resources
Here are some links to GDPR resources which we will continue to update as regulatory authorities issue additional guidelines.
Teamgo Supports GDPR and Data Privacy
Key features provided by Teamgo with all plans and subscriptions.
Permissions and roles - only give access to those that need it
Anonymisation - remove all personal details
Deletion - remove all data
Retention - set specific automated deletion dates
Any and all visitor and employee data collected by Teamgo through your subscription can be anonymised and deleted in bulk or per individual record. We provide maximum control over your own data.
The GDPR supports individual's privacy rights through strengthening limits on processing of their personal data, significantly expanding their rights over their data and providing increased transparency into the nature, purpose, and use of it.
The EU GDPR will set a standard for how companies use and protect EU citizen's data and this will be effective from May 2018 with Teamgo. At Teamgo, we’ve been working hard to prepare for GDPR, to ensure that we deliver its obligations and maintain transparency about how we use your data.
The EU General Data Protection Regulation (“GDPR”) is a new, extensive data protection law that will come into effect on May 25, 2018. This will replace the existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. This will be a set of rules which govern the processing and monitoring of EU data.
Does it affect me?
Yes, if you hold or process the data of an any person in the EU, the GDPR will apply to whether you are based in the EU or not.
How is Teamgo addressing the GDPR?
We have been working to define our own GDPR roadmap and approach to the implementation of this key requirement. A complete overhaul of our internal procedures, processors and data models is being prepared to make sure we’re meeting legal obligations for our customers while still allowing us to scale, build, deliver and support great products.
Our platform team is building the features that will enable Teamgo customers to easily and fully delete or anonymise all data linked to an individual user. These will be available to all customers from May 2018.
Teamgo can assist with meeting your data portability requirements for GDPR, you will be able to easily export all of your data or detailed information linked to an individual person.
You will also be able to delete this data from your Teamgo account and the Teamgo system.
Updating our Terms, Privacy and Data Processing Agreements (DPAs):
Clear data protection commitments are a key to GDPR requirements. Teamgo's updated data processing agreement shares our privacy commitments and sets out the terms for Teamgo and our customers to meet GDPR requirements. This is available for customers to sign upon request. Enterprise customers are welcome to present their own DPA's for consideration and co-signing.
Certified for International Data Transfers:
The EU-US Privacy Shield is a framework agreed to by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data. To comply with the EU data protection laws around international data transfer, we are self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield framework.
Co-ordinating with our vendors
We’re working all of our existing and new vendors regarding their own GDPR plans and arranging similar GDPR-ready data processing agreements with them.
New security measures
We have regular external audits, penetration testing (pentests) and bug bounty programs. Teamgo has robust frameworks in place focusing on security first and processes for reviewing our internal access design to ensure the right people have access to the right level of customer data.
We will continue to keep sharing our policies, and we’ll also help our customers and prospective customers be compliant. Here are some steps you can take:
Be familiar with the GDPR requirements and how they affect your company.
Map out everywhere you process data and carry out a analysis in areas you feel there may be gaps.
Consider how you can leverage Teamgo to help with your GDPR compliance of visitors to your locations. Our audit reports, pentests and security docs are available to customers on request (allow 7 working days to process).
Look at your own product roadmap, think about privacy when you’re planning.
Discuss to your legal consultant about what your company needs to do to regarding GDPR compliance.
Keep an eye on the developing guidelines from the GDPR Article 29 Working Party
Feel free to reach out to us in the Teamgo dashboard messenger if you have any questions about GDPR - we’d be happy to chat to you about it.