BlueCamroo and the European Union’s GDPR
On April 14th, 2016 The European Union announced that new regulations had been agreed upon that will help protect people’s personal information online. The General Data Protection Regulation takes effect on May 25th, 2018 and will take the place of the last regulations which were put in place in 1995.
What is the GDPR?
The GDPR are laws that have been amalgamated for all of the members of Europe Union. In its most basic terms the GDPR gives EU Residents a well-defined expectation of how their data is supposed to be stored and protected. It is not just the responsibility of one person or a provider, but instead a shared responsibility to protect people’s Personal Data.
The regulation also defines how it affects organization outside of the EU that store and use data of EU residents. Any organization that uses the Personal Data of a EU resident is subject to the GDPR and its penalties. Those penalties can be €20 Million or even more.
BlueCamroo has been aware of these regulations and has been working to make sure that we not only meet these regulations but that the protection of Personal Data is a priority.
BlueCamroo has always prioritized the protection of users’ data. BlueCamroo does not View, Use, Share, Promote or Sell its client data without explicit consent. From Day 1 we have prioritized the protection of the privacy not only of our client’s data, but they data they store within BlueCamroo.
Over the years we have upgraded our data security, culminating in April of 2018 when we moved to the Microsoft Azure Cloud. We have no need to process our users’ personal data beyond what is needed to run the system.
How is BlueCamroo prepared for GDPR?
Each one of our workspaces is set up so that businesses can collect information form their clients, leads, prospects, contact, affiliates, partners, suppliers and more. With that in mind we’ve always worked on creating a safe environment for that data to be stored.
On April 18th, 2018 BlueCamroo moved to Microsoft Azure cloud hosting , a leading platform for cloud hosting. Azure has committed to be GDPR compliant when enforcement begins on May 25 2018. The move to Azure offers our clients:
- Enhanced Security - Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations, and currently complies with both EU-U.S. Privacy Shield and EU Model Clauses.
- Each browser session is encrypted.
- Improved Disaster Recovery capabilities - Azure allows BlueCamroo to be prepared with a business continuity plan that includes disaster recovery for major unforeseen circumstance.
- Increased performance and User Experience Globally - Azure gives visibility into the health and performance of its infrastructure. This allows us to easily collect data from any source and get insights that will allow us to enhance the performance of BlueCamroo. It will also allow us to address issues faster, making sure BlueCamroo users get better performance.
What does this mean for our users?
We understand that everyone is doing their best to prepare for the GDPR. Using multiple systems to store and process data can make things complicated with the GDPR. Businesses are expected to audit their protocols and make plans in case of a data breach, and if you’re running a standalone CRM, plus a different application for project management system, and a support ticketing system, and an email marketing system, and possibly more then you have to prepare for each individual one.
BlueCamroo users have an advantage of having a place where they can run multiple functions from one data point. There’s no need to worry about 7 different systems when you have everything consolidated securely in one.
BlueCamroo will encrypt each browser session for users, and also offer a highly granular permission algorithm to protect access to personal data. This allows the admin to determine how much access to data each user or group will get. BlueCamroo users’ responsibility is to protect their access to their BlueCamroo workspaces. BlueCamroo is not liable for any data breach if a third party gains access to personal data via a lost password, virus, malware on an affected access point device or any other user-prompted error made outside of our control.
What should you do to be GDPR-ready?
- Awareness - You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information You Hold - You should document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit.
- Communicating Privacy Information - You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ Rights - You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject Access Requests - You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful Basis for Processing Personal Data - You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it
- Consent - You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Children - You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data Breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments - You should familiarize yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organization.
- Data Protection Officers - You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International - If your organization operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
If you want to follow a more detailed version of this GDPR action plan you can view it here.
Important Terms as defined by the GDPR
- Data Subject - a natural person whose personal data is processed by a controller or processor
- Personal Data - any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
- Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data
- Data Processor - the entity that processes data on behalf of the Data Controller
- Processing - any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
- Consent - freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
- Data Protection Officer - an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR
If you want to familiarize yourself with more GDPR terms you can visit their official glossary.