Effective May 25, 2018, the European Union GDPR (General Data Protection Regulation) goes into effect!! Are you ready?
This post addresses the improvements we’ve made to myStratus 2018 to assist you in becoming GDPR compliant. Even though the GDPR only affects those businesses doing business in the EU, it’s important that all clients read this post to understand the changes we’ve made to the software, since the changes will affect all clients.
First, what is the GDPR? The GDPR updates and replaces the EU Data Protection Directive (1995) and will apply across the European Union as the de facto standard defining how companies can use customer data. EU citizens will get more say over how organizations can utilize their data. The new GDPR becomes effective as of May 25, 2018 across all EU member states. Failure to comply could mean a €20 million fine or 4% of your organization’s global turnover, whichever is greater.
Second, it’s important to state that only myStratus 2018 will be GDPR compliant! Because myStratus is a hosted solution managed by us, we have more control over the full solution and, therefore, have the ability to make it GDPR compliant. However, because Spectra is an on-premises database which resides within your network under your control, we do NOT have the same abilities to make Spectra GDPR compliant.
Third, we’ll define several key terms in the GDPR – Data Controller and Data Processor. You, as the one doing business in the EU, are the Data Controller. The primary responsibility to meet all GDPR regulations rests with you. We simply serve as your Data Processor. As your Data Processor, we also have certain obligations that we must meet. This article will focus on the requirements we must meet as your Data Processor and how we are meeting those requirements in myStratus 2018. This post will NOT address your remaining requirements under GDPR as the Data Controller.
So, let’s discuss the responsibilities that we have as your Data Processor and the changes we’ve made in myStratus 2018.
Personal Data Privacy
GDPR has many requirements concern how you collect, store, and use personal data, making it necessary to first identify the personal data you hold about data subjects. It requires both the Data Controller and Data Processor to discover, identify, and classify all “Personal Data” that is being collected for your clients. As your Data Processor, we have already identified every table and field in your database that is designed to store personal data for your clients. In addition, we have classified each of these data fields as a special Personal Data Collection Field.
myStratus also maintains 30 days of detailed Audit Logs of every transaction that takes place in your database, including every “Read and Write” action. These Audit Logs now utilize this new Personal Data Classification and report every time Personal Data has been collected, read, or accessed in your database.
Rights to Access Personal Data
GDPR states that your clients have the right to request a copy of the data relevant to them and ask for it to be rectified or deleted. In myStratus, we have provided you with several mechanisms for you to accomplish this if you receive such a request from a client.
- The easiest way to provide a client with the Personal Data you are tracking is to simply select those columns on the Client Hub, search for their client record, export that row to Excel and then send them a copy of that data.
- A more advanced way is to create a client Web Form which contains all the Personal Data collection fields. Then, upon request, you can simply email a client a link to this Web Form where they can view the data you have collected.
- myStratus has always provided easy methods to delete data. If you receive a request from a client to purge all data that you may be tracking, you can simply delete their client record and all historical data you’ve collected over the years.
Secure Personal Data
GDPR requires that all personal data is secure through some method of encryption. First, we encrypt your entire database on our servers rendering it completely unreadable to any individual without authorized access. Secondly, we ensure that all data is encrypted as it travels in and out of your database. This means that all our applications use proper encryption when data is sent into or pulled from your database.
GDPR requires organizations to detect and report any data breach to data protection authorities generally within 72 hours of detection, unless the breach is unlikely to result in a risk to the privacy rights of individuals. As your Data Processor, we subscribe to the latest Threat Detection Services which alerts our team of any suspicious database activities, potential vulnerabilities, SQL injection attacks, as well as any unusual database access patterns. Once alerted that any suspicious data activity has occurred with your database, our Technical Support Team will provide you with an alert. You will then be responsible to report the activity if you feel that Personal Data has been breached.
GDPR requires that all your data always reside within the EU, and only be transferred to third countries with required safeguards in place. If your business resides in the EU, then we store ALL your data in a data warehouse within the EU, and not in the US!
If you are subscriber to StudioPlus Mail, which relies on a deep integration with SendGrid, a US based company, then email activity may be flowing to the US as an email is being sent to your client. The GDPR has created a voluntary self-certification program in which US organizations can participate to show they have adequate data protection practices in place to meet this requirement of the GDPR, known as the Privacy Shield. SendGrid is Privacy Shield certified.
Data Resiliency refers to the ability of cloud-based services, such as myStratus, to withstand certain types of failures and yet remain fully functional from the customers’ perspective. Data resiliency means that no matter what failures occur within myStratus, your customer data, including any personal information, remains intact and unaffected.
To accomplish proper Data Resiliency, we first ensure your database is automatically replicated to three separate physical drives in three completely separate server racks within our datacenter. For you, that means no downtime or data loss if there is ever a hard drive failure or other hardware-related outage.
Secondly, every database is geo-replicated to a secondary datacenter at least 500 miles away from the primary datacenter (but still within the EU). With geo-replicated databases, this means that we always maintain six copies of your data at all times!
Third, we have implemented a new feature in myStratus 2018 called Automatic Disaster Recovery (ADR). In the event of a major disaster which causes a full datacenter outage, our systems will automatically discover that your database is no longer reachable by your business. In that unlikely event, the system will automatically reconnect your business to the secondary datacenter within 20-60 seconds.
If you utilize email marketing in your business, GDPR requires that you get explicit permission from your clients before you send them marketing emails. This permission is best obtained through an “Opt-In” process where a client has the ability to click a checkbox stating that you have their permission to send them marketing emails.
However, GDPR also makes provision for using an “Opt-Out” process (also known as “soft opt-in exception”) as long as:
- The recipient is an existing/potential customer
- Their email address was obtained in the context of the sale of a product or service
- An opt-out was provided when the details were obtained
- The marketing relates to “similar” products or services
In myStratus 2018, we’ve made several changes on how we collect email addresses via the web. A new question has been added to both the myStratus Online Booking process and the new Client Referral Page asking the client “May we email you marketing material?”. If the client leaves this box unchecked, the software will automatically check the Do Not Market checkbox on the client’s record. For clients in other countries who do not wish to show this question, it can be turned off in either the Online Booking Preferences or Referral Program Preferences.
Finally, GDPR requires you keep detailed logs of each time a client changes their email preferences. So, in myStratus 2018, the software will now add a note to the Client Status Notes every time the Do Not Market checkbox is checked or unchecked.
At StudioPlus, we are proud of the complete and robust systems we’ve spent the past 20 years building for our clients!! As a StudioPlus client, YOU are the one who benefits from this work! Rest assured, by using myStratus 2018, you’re using a best-in-class service to help you attain GDRP compliance.
This post is for general purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. STUDIOPLUS SOFTWARE MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS POST. This information is provided “as-is.”
Click here to watch a SendGrid Webinar on GDPR as it relates to using StudioPlus Mail as your email provider
Click here to read more about GDPR
Click here to read the full GDPR Text