PeopleVine is GDPR Ready.
What does that mean?
In this article we'll detail the requirements and provide a checklist for both understanding GDPR and helping to ensure you comply with GDPR.
***We highly recommend you consult with an attorney or privacy and compliance specialist before signing off that you're GDPR Compliant.
Becoming GDPR Compliant
This can be broken down into a few sections:
- Your Data and what you do with what you collect
- Accountability and Management of the data you collect
- Your Customer's Rights with their own data
- Getting Consent to not only opt-in but also process their data
- Advanced Use Cases when processing data beyond our platform
Lets start with Your Data or rather Your Customer's Data, as we provide you with ownership over that data (as it's not ours). So it's important that you're aware of the following:
- Know what's happening to your data, not just in PeopleVine, but when you export it, connect to our API or even post on your website or portal.
Some things to keep in mind: 1) know what you're collecting and why, 2) what was the source of that info (if outside of PeopleVine) - you can label your imports, 3) who you share it with (when exported, posted elsewhere or via API), 4) what you or they do with it and 5) how long is it kept (in PeopleVine, it's kept until you delete it).
- Know where your data sits, well that's easy as more than likely you're leveraging all of PeopleVine's robust features! But seriously, when you export data from PeopleVine, where are you putting it (keep track of this). If you're sharing with others, what are they doing with it?
Remember it's not only about where you download your data to, but it's what you display to people on your website or portal. We have you covered there too (as long as you leverage it). Within just about every element you create (content, directory, events, schedulers, etc.) you can assign permissions to anyone, members of groups or only admins in order to prevent unauthorized access.
Check out this article on how to replace our default ones. If you do something with the data outside of our platform, please make sure you update your policies AND if you do process their data, make sure it's in a lawful basis.
Great, we hope that first part made sense, best of all if you keep the data in PeopleVine, then you're that much closer to being compliant!
Now lets look at Accountability and Management of the data you are collecting. This is really focused on how you leveraging our platform as well as others when processing the data.
- Make sure you appoint someone at your company who understands how to protect your data and what to do in case of an emergency. They would create awareness among decision makers about GDPR guidelines. They would train the rest of your team on how to protect your data.
This person would be known as your Data Protection Officer and would help ensure compliance throughout.
- Make sure your technical security is up to date. This would include computer updates, network updates, security/passwords, connected devices, software installed, etc., but you should've already had that covered!
PeopleVine also helps ensure you meet these requirements as it relates to your site. For example you can easily enable SSL for data capturing sites (SSL is included in most of our plans). We also completed a series of penetration tests, performance tests and more to ensure PeopleVine can withstand the test of time.
- Now, this is the tricky one, but if you operate outside of the EU, then you should have an appointed representative in the EU in case local authority needs to contact someone. We recommend looking for attorney offices in the UK (or other parts of EU) that can be available as needed.
- If there is a data breach involving personal data, you must report it to a local authority and to the people involved. So make sure you know where your data is once it leaves PeopleVine!
OK, now you need to be aware of Your Customer's Rights and their New Rights too.
- We've made it easy for your customers to get access to and update their personal information and the information you capture by providing self-service tools. Just add these to the end of your registered domain in PeopleVine (and we include most of them throughout standard pages/navigation):
- /account/edit which allows your customers to edit their profile. You can also assign a set a form of questions/attributes that would allow people to opt-in and out of certain marketing lists
- /account/memberships allows members to edit their member/public profile
- /account/businesses provides people with company profiles in the directory with access to manage those
- /contact in case they need to get a hold of you.
- No matter how people interact with PeopleVine, there's always a way for them to edit and view their data. Make sure that any other provider you work with does the same!
- In many areas of PeopleVine and expanding throughout, you will find the ability to delete and/or archive data. When you press delete, it will remove the information permanently. Also on the customer profile admins have access to Wipe Person which will completely erase people from your database along with all their past touchpoints.
In order to remain compliant with GDPR, we will be setting up automated purging of any data set to archive 90 days after it's set to archived.
Just make sure, when your customer requests to be removed or requests access to their info, that you provide it to them. Data can easily be exported in PeopleVine with the ability to print out their personal profile as well.
- Honor their opt out, if they want out, let them out. Maybe, when they're interested again, they'll opt in again.
We've made it really easy to opt-out by 1) providing both an Instant Opt Out and an Edit My Preferences link at the bottom of each marketing newsletter, 2) they can reply STOP (or other words) to opt-out of SMS messages, 3) allow them to easily edit their account at /account/edit and 4) the ability to opt-out when engaging with new experiences.
- If you are processing children's personal data, you must verify their age and ask consent from their legal guardian. So make sure you ask for these by attaching a form to the experience they're interacting with and block access until you have consent.
Whoa, if you made this far, then you're that much closer to being compliant!
If you have Advanced Use Cases then check out these final thoughts. If you don't have advanced use cases, then scroll down for more notes:
- Make sure you regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to. We'll help you with as much as we can and as quick as we can. But reach out if you need help.
- If you're carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people (what are you doing???), then you may need to conduct a DPIA (if this is you, then google it as you're much more technical than us).
- Your data, or at least the data that sits in PeopleVine currently resides ONLY in the United States of America on the West Coast, East Coast and Midwest data centers hosted within Microsoft Azure's cloud. We will continue to expand our presence to other data centers throughout the world where they comply with GDPR and other regulations.
In this case we also recommend that anywhere you transfer your data to outside of the EU also ensures they meet the same or better levels of protection like the GDPR.
Now, that's all we have to offer on GDPR and as you've seen PeopleVine has already helped you comply since day one with our robust toolset!
With that being said, here are some great resources on GDPR (but please contact a GDPR consultant/attorney to ensure you are 100% compliant):
- Official EU GDPR Regulations
- Wikipedia General Data Protection Regulation
- Web Based Version of the full General Data Protection Regulation
- Microsoft Trust Center: GDPR Compliance
Specific Response to Clauses 4(d) and 5(c)
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
PeopleVine currently observes the security practices described below. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, PeopleVine may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: PeopleVine hosts its Service with outsourced cloud infrastructure providers, namely Microsoft Azure. Additionally, PeopleVine maintains contractual relationships with vendors in order to provide the Service in accordance with our Licensing Agreement. PeopleVine relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: PeopleVinehosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: PeopleVine implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of PeopleVine's products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
ii) Preventing Unauthorized Product Use
PeopleVine implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: PeopleVine leverages Microsoft Azure Security & Compliance along with firewalls and other settings/monitors to identify intrusion.
Static code analysis: Security reviews of code stored in PeopleVine's source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: PeopleVine maintains relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of PeopleVine's employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All PeopleVine employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: PeopleVine makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the PeopleVine products. PeopleVine's HTTPS implementation uses industry standard algorithms and certificates.
At-rest: PeopleVine stores user passwords following policies that follow industry standard practices for security. PeopleVine has implemented technologies to ensure that stored data is encrypted at rest.
c) Input Control
Detection: PeopleVine designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. PeopleVine personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, PeopleVine will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If PeopleVine becomes aware of unlawful access to Customer data stored within its products, PeopleVine will: 1) notify the affected Customers of the incident; 2) provide a description of the steps PeopleVine is taking to resolve the incident; and 3) provide status updates to the Customer contact, as PeopleVine deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form PeopleVine selects, which may include via email or telephone.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
PeopleVine's products are designed to ensure redundancy and seamless fail-over. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists PeopleVine operations in maintaining and updating the product applications and backend while limiting downtime.
This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. To sum it up, you may not rely on this article as legal advice, nor as a recommendation of any particular legal understanding.