European Union’s General Data Protection Regulation (GDPR) becomes effective on 25th of May 2018. The aim of the GDPR is to strengthen and unify data protection for all individuals within the European Union. Lawful, fair and transparent processing, limiting data storage to its purpose and security are all key principles of the GDPR legislation.
The legislation places new obligations on organizations that process EU personal data. From Jakamo’s point of view, it is our duty to make sure we are compliant with the GDPR requirements as a Data Processor processing personal data on behalf of our customers. On the other hand, we want help our customers to meet their obligations set for Data Controllers by providing all the information needed to ensure personal data is being processed according the regulation. Furthermore, Jakamo is also using personal data for it´s own purposes like billing and product development and it needs to be taken into account as well.
Here´s a brief description of the main changes we’ve implemented to be GDPR compliant. We divide the actions to four categories: contractual, organisational, technical and communication changes.
Contractual changes
We started to prepare our service agreements to be GDPR ready with an external assessment of the documents by an experienced lawyer. One of the main results of the assessment was that we needed to better explain our relationship with our customers and end users. Also, the regulation requires that the processing of personal data is being agreed between the Data Controller (our Customer) and Data processor (Jakamo). As a result, we ended up updating our Terms and adding a separate Data Processing Addendum which are governing the contractual relationship between our Customer and Jakamo Limited. We also renewed the Privacy Policy which is targeted for the individual users of Jakamo service and all the other individuals, whose data we’re processing as part of our business processes.
Terms. The first notable change to Terms was the clarification between the roles of Customer (company), End user and Jakamo. The Terms are now governing especially the business relationship between Customer and Jakamo Limited. All the items relating to the End user are now described in Privacy Policy. The second notable addition was referral to to the Data Processing Addendum, which is a separate document but part of the Terms. Otherwise the changes to Terms were minor additions, like prohibition to use disposable, short-term or similar temporary email address or other similar temporary contact information in registering to the service.
Data Processing Addendum. The data protection regulations require that the processing of personal data by a Data Processor (Jakamo Limited) is governed by a written contract or other written legal act with the Data Controller (Customer). DPA is an important part of the contractual entity between Customer and Jakamo. It states the how the personal data is being processed on behalf of the Customer. The PDA is new addition to Service Agreement entity between Customer and Jakamo Limited and it has been composed to cover all the requirements of GDPR.
Privacy Policy. The Privacy Policy has been re-organized to make it clearer and more understandable. It defines the key terms, describes our data collection and processing practices and states the purposes of the processing personal data. The renewed Privacy Policy with improved clarity and transparency is targeted for the individual’s use whose data we are processing.
Organisational changes
On Jakamo’s behalf there were not too many changes to be made with organisation and processes, but many of the processes needed to be documented in more detail. Also, there was a number of minor practises added to existing processes. Jakamo Security Policy is the overall guiding document which defines the different practises, processes and policies concerning information security in our operations. Here are highlighted few of the practises which were either created or defined in more detail.
Data Protection Impact Assessment. GDPR Data Protection Impact Assessment was adopted as a part of the overall Risk assessment process. The first specific Data Protection Impact Assessments were conducted, and in the future they will be part of the standard processes.
Subject Access Requests (SAR). A process for responding Subject Access Requests was defined, documented and trained for the whole staff. The defined process targets to handle the requests effectively and without undue delay.
Security Incident Team. A new Security Incident Team was established. The CEO and COO forms the core of the team and it is responsible to process any arisen security incident as well as breach notification to all relevant parties. Case by case other personnel are nominated as team members to solve the issues at hand.
Technical changes
Information security is the utmost important aspect of our technical development and different technical measures for enhancing the information security are implemented continuously. For an example, currently are being build two-factor authentication option for accessing the service. Also, some technical additions deriving from the GDPR relates to the Rights of Data the Subject, meaning individual Jakamo End users. At the time are being implemented e.g. features for users to see all their data in the system. Furthermore, the consent of the user is being emphasized and the registration process is being made more clear and informative.
Communication changes
One important aspect of the GDPR is the transparency of data processing and therefore we are enhancing our communications to our Customers and End users. The main implication is the recently published Jakamo Trust Center, where we give detailed information about how we process the data and how it is secured. We want to give our Customers as Data Controllers a clear way to state how Jakamo is complying with it’s obligations and for the End users a transparent and practical description how the personal data is being processed.
This blog text summarises some of the actions we’ve been implementing during the past months and if you’re interested to hear more, visit the Trust Center or contact us directly.
Sincerely,
Anssi Uitto, CEO & Co-founder
