As you probably know there is new EU legislation, called the General Data Protection Regulation, coming into place on May 25th 2018.
This new regulation has been designed to give people more control of their personal information. As such, we want to let you know exactly what information we store about you, what we do with it and crucially, how you can get access to it.
What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the existing privacy regulations and was designed to align data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
What does that mean for nudj?
The UK's independent regulatory body for data protection and privacy, the Information Commissioner's Office (ICO), outlines the main responsibilities for organisations, including nudj, under GDPR - requiring that personal data must be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Is nudj GDPR compliant?
Based on our self-assessment and that of external legal counsel, we are fully compliant as of the 25th May 2018.
What have you done specifically?
Setup internal privacy processes
Includes setting up an internal team, appointing a DPO and understanding what processes we need to implement at a company level to comply with GDPR - e.g. privacy by design, additional data handling training.
Conduct extensive GDPR research
Documented exactly what information we capture, assess what is essential for us deliver our service to users, , audit our vendors and understand what product updates were required to meet GDPR.
Update Terms of Service
They now include updated rules, inline with GDPR, which you must agree to follow in order to use nudj. Read them here.
Update Privacy Statement
They now include information, which outlines what exactly we do with your data and why we do it. Read them here.
Implement product updates to support GDPR
Includes minimising the amount of personal information we store, process and share with vendors to provide you with the service. We’ve also updated our architecture to support encryption in transit and rest, plus recovery and permanent deletion.
Communicate changes to users
That’s what this document and the emails we’ve sent you are all about.
Where can I get more information about GDPR?
If you're in need of more information, we recommend to ICO's guide on GDPR, which is a great resource designed to help you understand GDPR better - note clicking on them will take you to an external website:
What information are you storing?
We store only necessary information, as collected by you. Individual logins mean that your team members can keep their details accurate and up to date, ensuring that you meet your legal obligations as an employer.
Where is our data stored?
We store your personal data in the EEA, however, on occasion we use third parties / vendors to help us deliver core services, which we are unable to deliver otherwise, such as Intercom.
All vendors, have been selected based on the fact that they are all self-certified under the EU-US Privacy Shield - one approach under which personal data of EU citizens is allowed to be transferred to the US as it guarantees the required standards for safe transfer and storage are met.
How are you storing it?
We encrypt all your data both at rest and in transit (speak to our CTO, Nick, if you'd like more details). Our website and storage processes are all architected for security.
Can I access or delete all my data at any time?
Yes, we can provide you with all your data and delete everything if you request it. This also includes any data held by our 3rd party providers.
Who can I contact about my data at nudj?
Our Data Protection Officer is Jamie Gunson. You can reach him at email@example.com.
You can read it here.