Whisbi’s Commitment to the GDPR

The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union.

As always, Whisbi is fully committed to complying with Data Protection regulations.

 In this article we cover: 

1. What is GDPR?

2. What is Whisbi doing about the GDPR?

3. What do Whisbi Customers need to do?

1. What is GDPR?

The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive.

The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

In summary, here are some of the key changes to come into effect with the upcoming GDPR:

• Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
• Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
• Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
• Consent: The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
• Increased Enforcement: Under GDPR organizations in breach of GDPR can be fined up 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data. There is a tiered approach to fines based on the seriousness of the breach and damages incurred. 

If you are a company outside the EU, you should still be aware of this. The GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

2. What is Whisbi doing about the GDPR?

Whisbi is a cloud-based SaaS solution hosted on Amazon Web Services (AWS).

AWS provides specific features and services which customers can leverage as they seek to comply with the GDPR. The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:

– SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
– SOC 2
– SOC 3
– FISMA, DIACAP, and FedRAMP
– DOD CSM Levels 1-5
– PCI DSS Level 1
– ISO 9001 / ISO 27001
– ITAR
– FIPS 140-2
– MTCS Level 3

In addition to Amazon Web Services’ own compliance, they have been offering services and resources to help companies comply with GDPR requirements.

Whisbi has also been dedicating internal resources to the GDPR since June 2017, almost a full year ahead of the deadline. Compliance with and to international law and regulations are very important to us and we value our customers (and their customers) right to privacy.

AWS compliance, data protection and security experts have been working with Whisbi to answer all our questions and help us to prepare for running workloads in the AWS Cloud when the GDPR becomes enforceable.

We are taking many steps across the entire company to ensure we will be ready for the GDPR.

Whisbi will comply with the GDPR when it becomes enforceable on May 25, 2018.

3. What do Whisbi Customers need to do?

1. Make sure your current Terms of Service and Privacy Policy are modified and updated to properly communicate to your users how you are collecting and using their personal data. You have to provide us with the Privacy Policy that your users will accept when using Whisbi. This requirement has always been a part of Whisbi’s Terms and Conditions, but the GDPR can heavily penalize you if you’ve not done this clearly. We recommend you ensure your policies are up to date and clear to your readers.

2. If you are in the European Union we would advise you to sign a Data Processing Agreement with Whisbi. We are working on a new Data Processing Agreement (GDPR DPA) that will meet the requirements of the GDPR. This GDPR DPA will be available soon to all our customers.

Urska Blagojevic

Urska is our Marketing Director and apart from all her major responsibilities, she enjoys writing blog posts in her little free time to pass on her knowledge about how Whisbi is revolutionising the customer experience for Enterprise.