Written by Tomas Honzak |
With GDPR regulations going into effect in just a month, I’ve received a number of questions from customers regarding precautions GoodData has taken and concerns they have about handling their own data going forward. I’ve compiled some of the most frequent that may answer some questions you’ve had. You can also read an article I wrote for RTInsights, 5 Common GDPR Misconceptions You Need to Understand.
1. “Do we need to move the personal data of EU residents out of GoodData’s US data center to GoodData’s EU data center?”
Our EU data center is always an option for European customers, and you’re free to move the data in concern ahead of GDPR. However, GDPR does not prohibit moving personal data outside of the EU/EEA, providing certain criteria is met. At GoodData, we’ve taken steps to comply with GDPR in all our data centers worldwide. To adhere to the rules for international data transfer, we participate in the International Trade Administration's U.S.-EU and U.S.-Swiss Privacy Shield Program and will enter into Standard Contractual Clauses with our customers.
2. “What are ‘Special Categories of Data’?”
Defined in Art. 9 GDPR, these categories cover the most sensitive personal data, which includes individual health, sexual orientation, racial or ethnic origin, religion, beliefs, and political opinions. The common denominator is that these categories cover information that, if misused, can cause lot of damage to an individual’s personal and professional life. Therefore, keeping this information private must be a top priority and any systematic collection of this data can be done only under rather restrictive conditions. It will be critical for all companies to recognize that the EU and Europeans in general have a different cultural view of privacy than North Americans do, and that protecting all personal information is of the utmost importance.
3. “What steps has GoodData taken to guarantee that our data is in compliance?”
We have carefully analyzed GDPR’s requirements and implemented a Privacy Management System, which ensures that all personal data—whether it is loaded to our platform by GoodData customers or it belongs to EU-based customers, partners, vendors, or our EU employees and contractors—is processed in accordance with GDPR requirements. As a part of the effort, we have expanded our internal audit activities to include data privacy controls.
GoodData customers may validate GoodData’s security measures, which are the most important commitment on the part of the data processor, by reviewing GoodData’s SOC 2 Type II audit report and additional security compliance documentation. We will also provide our customers with an overview of all subprocessors, and provide assurance that all the necessary arrangements, including the mechanisms for data transfer outside of the EU, are in place. As required by Art. 28 GDPR, GoodData will also provide any additional documentation necessary for demonstration of compliance and assist in customer compliance audits and inspections.
4. “How can an individual contact GoodData about privacy?”
Any individual with a privacy inquiry can contact GoodData’s Privacy Officer, who oversees the GoodData Privacy Management system and handles all privacy-related requests and complaints. Should an individual inquire about data processed in our platform by a GoodData customer, we will promptly inform the customer and will not act upon the request unless specifically required by law or authorized by the customer.
If you have any questions that were not covered here, or if you have concerns about preparing for GDPR, we’re here to help. Contact your Account Executive or Account Manager for more information.
Written by Tomas Honzak |