DirectorySpot and GDPR:
May 25th, 2018 marked the start of enforcement of the European Union’s General Data Protection Regulation. This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. Naturally, personal data is at the core of a directory, so the DirectorySpot team has also been busy to make sure that we are compliant. We invested in this compliance to ensure our EU customers (as well as any of our customers that have EU contacts in their directory), that their data is protected.
This article provides an overview of the data-related roles and responsibilities when you’ve chosen DirectorySpot as your directory solution and will explain our efforts to live up to the values and requirements of the GDPR.
DirectorySpot as the Data Processor
The people you store in DirectorySpot as Contacts, Guardians or Teachers are your data subjects, and you are considered the data controller for this personal data. In our Terms of Service and Privacy Policy, we refer to this data as Directory Data.
Using the DirectorySpot app to manage your contacts means that you have engaged DirectorySpot as a data processor to carry out certain processing activities on your behalf.
According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article). This is where our Terms of Service and Privacy Policy, come in. These two documents also serve as your data processing contract, setting out the instructions that you are giving to DirectorySpot with regard to processing the personal data you control and establishing the rights and responsibilities of both parties. DirectorySpot will only process your Directory Data based on your instructions as the data controller.
In the cases where DirectorySpot is processing personal data relating to data subjects located in the European Economic Area or the United Kingdom solely on your behalf, the terms of the Data Processing Addendum shall apply. The following terms have the meanings given in the General Data Protection Regulation (EU) 2016/679: “personal data”, “controller”, “data subject” and “process”.
What is DirectorySpot doing for the GDPR
As a company with customers in Europe and other countries outside of the US, DirectorySpot is up to speed with the implications that the EU General Data Protection Regulation has for businesses.
We appreciate the privacy needs of DirectorySpot customers as well as their users and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by DirectorySpot.
We have established a process for onboarding third-party service providers and adopting tools that makes sure that these third-parties meet the high expectations that DirectorySpot and its customers have when it comes to privacy and security.
Readiness to comply with subject access requests
Data subjects’ ownership of their personal data is at the heart of the GDPR. We have created a readiness to respond to data subject requests to delete, modify, or transfer their data. This means that our Customer Support is well-prepared to help you in any matters involving your personal data, in addition to providing the awesome customer support experience that you are accustomed to.
Documentation
Our Terms of Service and Privacy Policy are constantly being revised to increase transparency and to make sure the documents meet GDPR requirements. As these are the basis for our relationship for you, it is very important for us to comprehensively and openly explain our commitments and your rights in these documents.
In addition, to comply with GDPR, we have documented our response procedures for Data Subject Requests under the GDPR. We have also documented our Written Information Security Policy. Please contact our security team at security@directoryspot.net to obtain either of these documents.
All of the above is supported by training efforts so that the GDPR compliant processes are followed.
DirectorySpot is firmly committed to meeting GDPR requirements and to ensuring our global customers that we take security of their data very seriously. For us, these processes and procedures demonstrate our respect to individuals’ privacy and responsibility in handling personal data.