The European Union enacted General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, and will markedly change how companies process and handle end users’ Personally Identifiable Information (PII).
As part of its continued commitment to protecting proprietary and customer data, as well as protecting individuals from security and privacy breaches, Whatfix can now confirm that the company has completed its GDPR readiness program.
You would already be aware of what GDPR is but, still, as is customary, here is a gist of the European regulation.
The GDPR was designed to give European citizens a new set of digital rights in an era where personal data is a sort of currency in itself. Apart from the new obligations it places on data processors, the most important aspect of the GDPR is that it has no territorial jurisdiction. It applies to every company that’s processing European citizens’ PII irrespective of where either is located.
That apart, the GDPR also gives end users new digital rights with respect to the control over their PII in terms of being empowered to ask for a copy of all their PII held and processed by a company, or to erase this PII, in the form of Right to be Forgotten, which is seminal, and much more.
Since companies never had the obligation to erase an end user’s data or be able to provide a copy collating everything they have in multiple assets, or do much of what is required by the new privacy law, they have had to put in place new infrastructure in order to ensure compliance.
And, unlike the previous European data privacy law, GDPR doesn’t require individual member states of the EU to separately ratify it.
The full text and a summaries of key aspects of the GDPR can be accessed here.
By nature, the Whatfix platform legally and consensually acquires and processes certain amounts of PII data. But now, with GDPR on the verge being enforced, we have a responsibility and requirement to ensure that each one of our processes is compliant and aligned with the law.
Our preparation of the GDPR began with a comprehensive and organization-wide risk-assessment audit to clearly identify and determine the PII data that is being held and the sources thereof. This assessment is not just in relation to the Whatfix platform but all departments and activities that we undertake.
As a company, we work with multiple software vendors and service providers. Starting last year, we’ve coordinated with all the vendors to ascertain their GDPR compliance and ensure that all the stakeholders we work with adhere to the statutes of the GDPR.
In scenarios, where we use third party services to process PII data on behalf of Whatfix, we have put in place Data Processing Agreements in accordance with the requirements of the GDPR. We’ve also appointed a Data Protection Officer with the mandate of keeping all PII data safe and secure.
Adhering to the data protection and privacy prescribed by the GDPR, we’ve ensured that we meet data minimization and storage limitation statutes. We’ve also made changes to ensure that the Whatfix platform ensures data privacy by design while also putting in place systems to ensure customers and individuals are given copies of their PII data as and when requested.
We are also compliant with data subjects’ right to request erasure of their data as well as installing systems that ensure compliance to and uphold all the digital rights that the GDPR empowers data subjects with.
We encourage our customers to review all the new GDPR compliant policies that we have put in place and provide their feedback. We strongly recommend that customers contact us at firstname.lastname@example.org in case they have any queries with regards to GDPR rules with respect to Whatfix.