Whether you are a small or large business, you have probably heard about the EU’s new data protection regulation: the General Data Protection Regulation (GDPR). GDPR replaces the Data Protection Directive 95/46/EC and was designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.
At SkipsoLabs we have been working hard to make sure our platforms and internal practices are GDPR compliant. This page aims to share the key product-related changes that we have implemented to help your SkipsoLabs powered platform be GDPR compliant.
In this section you will find a list of all the changes we have built and are building as part of our GDPR compliance work.
In order for a user registering on a platform to grant consent under the GDPR, the following things need to happen:
We have created a new “Consent” widget to be added to the platform Registration page. This widget will allow platform administrators to:
For auditing reasons, from May 25 th 2018 onwards, enabling the Consent widget will allow auditors to track who has opted in and out of consent as a log is generated whenever a user opts in or out.
At any point in time a user (as data subject) has to see what he / she has signed up to and be able to withdraw his / her consent. Withdrawing consent has to be as easy as giving it.
We have completely revamped the user Account Settings section of our platforms. This is the section of the platform accessible by any user who has previously registered on a SkipsoLabs powered platform. By clicking on the “Consent” page, the user will be able to easily opt-in or opt-out of consent.
Each action performed by the user on this page will generate a log for auditing purposes and will allow the platform administrators to track which users have opted in or out of consent.
The SkipsoLabs powered platforms can generate a number of different automated email notifications to notify registered users of specific activities, for example:
In order to allow users to have a more granular control of all platform notifications, we have created a new “Notifications” module from the user Account Settings section allowing users to:
Under the new GDPR regulation, users have the right to request deletion of all the personal data you have about them. Specifically, GDPR requires a permanent deletion of all data associated to a user that is stored on the platform database. In most cases, you will have to action to a user deletion request within 30 days.
Firstly, we have built a configurable functionality allowing to select, at any point of time, one of two options:
As described previously, we have completely revamped the user Account Settings section of our platforms. In the new “Delete Account” page users can:
Option 1: Users are allowed to delete their own data
If this option is selected by platform administrators, users accessing this page will see all data associated to their user account and will have 2 options:
Option 2: Users send a request to delete their data
If this option is selected by platform administrators, users accessing this page will only be able to send a deletion request to the platform administrators. The request will trigger an email notification to the administrators who will be able to delete all user data and associated content from the platform backend.
Just as users can request to delete their data, they can also request to access all the personal data and associated content that the platform stores about them. Requesting access means that the Data Controller needs to provide a copy of all the user data in readable format (e.g. CSV or XLS).
In the newly updated “Account Settings” section of the platform accessible by registered users, we have created a new “Export” tab. Accessing this page users will be able to send an Export request to the platform administrators who will be able to export all the user related data from the platform backend.
Just as she can request to delete or access her data, they can also ask platform administrators to modify their data if this is inaccurate or incomplete.
If a user requests to change any of their information, any platform administrator can do so from within their contact record of the backend application.
GDPR requests that Data Controllers put in place a set of data protection safeguards to make sure that data is secure both at rest and in transit.
SkipsoLabs is committed to keep enhancing its security measures across the board. In addition to industry standard encryption practices we have also introduced: