European Union’s General Data Protection Regulation (GDPR) becomes effective on 25th of May 2018. The aim of the GDPR is to strengthen and unify data protection for all individuals within the European Union. Lawful, fair and transparent processing, limiting data storage to its purpose and security are all key principles of the GDPR legislation.
The legislation places new obligations on organizations that process EU personal data. From Jakamo’s point of view, it is our duty to make sure we are compliant with the GDPR requirements as a Data Processor processing personal data on behalf of our customers. On the other hand, we want help our customers to meet their obligations set for Data Controllers by providing all the information needed to ensure personal data is being processed according the regulation. Furthermore, Jakamo is also using personal data for it´s own purposes like billing and product development and it needs to be taken into account as well.
Here´s a brief description of the main changes we’ve implemented to be GDPR compliant. We divide the actions to four categories: contractual, organisational, technical and communication changes.
Data Processing Addendum. The data protection regulations require that the processing of personal data by a Data Processor (Jakamo Limited) is governed by a written contract or other written legal act with the Data Controller (Customer). DPA is an important part of the contractual entity between Customer and Jakamo. It states the how the personal data is being processed on behalf of the Customer. The PDA is new addition to Service Agreement entity between Customer and Jakamo Limited and it has been composed to cover all the requirements of GDPR.
On Jakamo’s behalf there were not too many changes to be made with organisation and processes, but many of the processes needed to be documented in more detail. Also, there was a number of minor practises added to existing processes. Jakamo Security Policy is the overall guiding document which defines the different practises, processes and policies concerning information security in our operations. Here are highlighted few of the practises which were either created or defined in more detail.
Data Protection Impact Assessment. GDPR Data Protection Impact Assessment was adopted as a part of the overall Risk assessment process. The first specific Data Protection Impact Assessments were conducted, and in the future they will be part of the standard processes.
Subject Access Requests (SAR). A process for responding Subject Access Requests was defined, documented and trained for the whole staff. The defined process targets to handle the requests effectively and without undue delay.
Security Incident Team. A new Security Incident Team was established. The CEO and COO forms the core of the team and it is responsible to process any arisen security incident as well as breach notification to all relevant parties. Case by case other personnel are nominated as team members to solve the issues at hand.
Information security is the utmost important aspect of our technical development and different technical measures for enhancing the information security are implemented continuously. For an example, currently are being build two-factor authentication option for accessing the service. Also, some technical additions deriving from the GDPR relates to the Rights of Data the Subject, meaning individual Jakamo End users. At the time are being implemented e.g. features for users to see all their data in the system. Furthermore, the consent of the user is being emphasized and the registration process is being made more clear and informative.
One important aspect of the GDPR is the transparency of data processing and therefore we are enhancing our communications to our Customers and End users. The main implication is the recently published Jakamo Trust Center, where we give detailed information about how we process the data and how it is secured. We want to give our Customers as Data Controllers a clear way to state how Jakamo is complying with it’s obligations and for the End users a transparent and practical description how the personal data is being processed.
This blog text summarises some of the actions we’ve been implementing during the past months and if you’re interested to hear more, visit the Trust Center or contact us directly.
Anssi Uitto, CEO & Co-founder