- What is GDPR?
GDPR is a privacy and data protection law that regulates how European Union residents’ data is protected by companies and enhances the control the European Union residents have over their data shared over any platform.
The GDPR is relevant to any globally operating company which may be accessible to the European Businesses or Citizens of the European Union directly or indirectly. The customers’ data shared on our platform is important irrespective of where the customer is based out of, which is why as a responsible platform, we have implemented GDPR controls as our baseline standard for all our operations across the Globe. GDPR has taken effect from 01 May 2023
- Does the GDPR apply to me?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behaviour of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
In keeping with our ongoing commitment to privacy and security, Excalibur is committed to making it easier for you to comply with the GDPR.
- What are main responsibilities under GDPR?
GDPR requires that personal data be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
- Adequate, relevant, and limited to what is necessary for achieving those purposes
- Accurate and kept up to date
- Stored no longer than necessary to achieve the purposes for which it was collected
- Properly secured against accidental loss, destruction, or damage
Further, GDPR places additional obligations on companies to document their processing activities and be able to demonstrate their compliance with the above principles.
It also codifies the requirement that companies apply data protection by design and by default when developing and designing processes, products and systems.
In addition, if a Company uses service providers to process personal data on their behalf, the Company will need to ensure that they have an appropriate contract in place that ensures that they are obligated to apply GDPR’s data processing standards.
Similarly, if a Company is transferring EU personal data outside the EU, they may only do so if it is being transferred to a country deemed by the EU Commission to have adequate data processing regulations.
For transfers to countries not deemed adequate, they must ensure appropriate alternative safeguards are in place.
Currently, under the Directive, approved transfer safeguards include the EU-US Privacy Shield and standard contractual clauses.
- What is the definition of “personal data” under the GDPR?
Personal data refers to mean data that relates to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, email id, phone number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Importantly, this is a very broad definition and can encompass data like IP addresses of a user’s personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID).
What matters is that the information can be used to “pick that user out of the crowd” even if you don’t know who that user is.
It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws. So, even if it seems like there would be little privacy harm if someone got a hold of the users’ IP addresses, that does not mean that those IP addresses are not personal data.
It just means that this data may not require the same level of data protection as more sensitive personal data like your users’ credit card numbers.
- Who is the Controller and who is the Processor in the case of Excalibur Solution relationship with Customer?
Unless explicitly clarified in any agreement, Excalibur Solutions will be the Processor and Customer/User will be the Controller.
- What are the key changes from the previous regulations?
New and enhanced rights for data subjects- This law gives an individual/User the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
Explicit consent- Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
Right to access- At any point in time, the data subject can ask the Processor what personal data is being stored or retained about him/her.
Right to be forgotten- The data subject can request the Processor to remove their personal information from the Processor’s systems.
Obligations of the processors – GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller’s instructions.
Data Protection Officer – Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
Privacy Impact Assessments (PIA) – Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
Breach notification – Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Data portability- The Processor must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
- What steps does the Company take to become GDPR- ready?
We have covered a lot of ground toward understanding and analysing how GDPR will impact our customers and making appropriate changes to our product and processes. Below is a glimpse of our analysis and the steps we took to ensure we are compliant well in time:
We have acted on many fronts to adhere to this new regulation.
- We have raised awareness across the organization through frequent discussions in our internal channels, and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.
- We have assessed all our products, individually, against the requirements of the GDPR and have implemented new features that will give you more control over your data and ease your burden of achieving GDPR compliance.
- We have appointed a designated Data Protection Officer to oversee data protection and privacy breaches.
- Our application teams have embraced the concept of privacy by design and have provided you more control over the data you store in our systems. We constantly endeavour to provide you with more enhancements, which shall be rolled out in phases.
- We conducted internal audits of our products, processes, operations, and management. The findings were communicated to our teams, who have worked out the solutions to the identified problems.
- Based on the PIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks.
- We have cleaned up our databases to ensure that we have only the latest and most accurate information. This clean-up process includes removing terminated and dormant accounts as per our Term and conditions.
- Customers will be notified of a breach without undue delay and within the time frame required under Applicable Data Protection Law(s) to Customer’s Designated dashboard.
- Customers will be notified of a breach within 72 hours after the Company becomes aware of it. For general incidents, we will notify users through our website or the customer dashboard. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address).
- GDPR Rights
Access to personal data about subject
Under GDPR, ruling data subjects have the right to access to their personal data. You can post a request and we will provide data we store.
If you feel your personal is incorrect, you can post a request with information regarding the data to be corrected. We will process the needed changes or will notify data controllers on the subject (in case you are not our customer yet).
You can request restriction of your personal processing by mailing to us at email@example.com.
Delete or object personal data
We will respect requests to delete personal data or object processing, they both will be handled by deleting your personal data from our service in 30 days.
EU-US Privacy shield related
If you have any questions related to the topics of transfer of data between EU-Swiss and US or EU-US privacy shield regulation please post it via email and we will get back to you in timely manner.
- Contact Us
Please feel free to ask questions and share concerns with us at firstname.lastname@example.org.
Address: Plot No. 99 Ap kalambi Tal khatav, Satara, Maharashtra-415512.