Last modified: October 11, 2018
Data Protection and Privacy at Evidence
What is the General Data Protection Regulation (GDPR)?
The GDPR is the European Union’s new, comprehensive privacy and data protection law that will take effect on May 25, 2018. The primary aim of the GDPR is to regulate how the personal data of EU residents is processed – even by businesses that have no physical or legal presence in the EU. Organizations can face hefty fines for non-compliance: up to €20 million or 4 percent of annual global revenue, whichever is higher.
Is there a GDPR certification? Is Evidence GDPR certified?
There is not yet any kind of recognized GDPR certification scheme. Evidence is taking the necessary steps to ensure that it is in compliance with the GDPR in advance of the implementation date of the new law.
Evidence will offer customers and partners a new Data Processing Addendum (“DPA”). Signing the DPA amends our standard terms of service to reflect obligations required under the GDPR. This is the instrument that you can rely on to have certainty that Evidence will comply with the GDPR when it comes into effect on May 25, 2018. It amounts to a guarantee that Evidence will be GDPR compliant.
How can Evidence guarantee I will be able to use Evidence after the GDPR comes into effect?
Evidence will offer a new Data Processing Addendum, that addresses all of the GDPR-specific concepts.
The new DPA will govern the terms by which Evidence, as a data processor, processes data on behalf of its customers (who are typically data controllers) in accordance with Article 28 of the GDPR. According to Article 28 of the GDPR, data processors must act only upon the documented instructions of the data controller unless otherwise required by law. This, however, does not relieve Evidence of any of its obligations or liabilities under the GDPR. Evidence will be required to ensure that it is in compliance with the GDPR.
Who is Evidence’ Data Protection Officer (DPO)?
Evidence’ DPO is: Brian Ostrander
Email address: email@example.com
In accordance with Article 38 of the GDPR, members of the public may contact the DPO with regard to issues related to processing of their personal data and to exercise their rights under the GDPR – for example, to object to the processing of their data in cases where the data controller (i.e., Evidence’ customer) does not provide an adequate response.
Who is Evidence’s representative in the European Union pursuant to Article 27 of the GDPR?
Evidence’ Article 27 Representatives are:
Matthew Joseph, CIPP/US
Prague 150 00
VeraSafe Ireland LTD
Unit 3D North Point House
North Point Business Park
New Mallow Road
In accordance with Article 27 of the GDPR, supervisory authorities and persons whose personal data are being processed by Evidence may contact VeraSafe (Evidence’s Article 27 Representative) on all issues related to processing, for the purposes of ensuring compliance with the GDPR.
What is Evidence doing to ensure that it is compliant with the GDPR?
Evidence is currently re-papering vendor contracts and working with vendors to ensure they are compliant by adding a settings pane for customers to provide Evidence with the information required under Article 30(2) of the GDPR.
Evidence is continuing to review its security measures, as we always do, to stay at the forefront of evolving industry standards and best practices.
We have appointed a representative in the EU and an expert Data Protection Officer and are in the process of delivering a new Data Processing Addendum, all of which will ensure we’re satisfying the subcontracting obligations of a data processor under the law.
So Evidence will be compliant with the
GDPR. Does that mean that I’m automatically compliant too? If not, where
can I learn more about my own obligations?
Each organization that processes personal data, and that’s regulated by the GDPR, will face its own obligations to comply with the GDPR. While using a GDPR-compliant software product like Evidence can make it easier to comply, much of how you collect, use, and dispose of personal data is not determined by Evidence. Thus, each organization should get its own professional guidance on the topic to help ensure compliance. Here are some resources from the UK Information Commissioner’s Office: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/.
Is Evidence building new software features to help me comply with the GDPR?
Yes, we’re planning to release new features to help users manage their compliance with a number of key pain points in the law. This includes a set of features to make it easy to anonymize personal data (i.e., the right to be forgotten), and a customizable “block list” feature to help ensure that if someone asks you to never process their personal data, that their personal data can’t be re-imported into your application. These features will help our users to comply with many of their fundamental obligations under the GDPR.
Am I a data controller? Is Evidence a data processor?
Typically, a Evidence customer will be considered as a data controller (i.e., an organization that determines the purposes and means of the processing of personal data) and Evidence will always be considered a data processor under the law. Controllers and processors each have their own respective obligations under the law. Therefore, Evidence’ GDPR compliance plan looks a bit different from that of many of our customers. This doesn’t mean Evidence can’t be used by data controllers – quite the opposite. When a data controller engages a service provider like Evidence, the service provider is typically a data processor acting on behalf of the controller, and the processor acts at the behest of the controller. As stated above, Evidence’ DPA will govern the relationship, and the nature of the processing activities, as between Evidence and its customers, regardless of which entity plays which role.
Do I need to obtain consent again from all my contacts?
Not necessarily. There are other permitted bases for processing personal data under Article 6 of the GDPR, such as the need to process personal data for the performance of a contract, or the legitimate interests of the data controller or another party. However, if you will be processing personal data based solely on the consent of the individual, you likely need to re-acquire consent from these “old” contacts.
What solution does Evidence offer for cross-border data transfers?
Under the GDPR, personal data may only be transferred outside the European Economic Area (commonly referred to as the “EEA” and which consists of the EU, plus Norway, Iceland, and Liechtenstein) in certain circumstances, such as to a country whose data protection laws are deemed “adequate” by the European Commission, or by relying on an approved data transfer mechanism.
Evidence has submitted an application to the Privacy Shield Framework. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. Under the GDPR, additional legitimate methods of exporting personal data outside the EEA may be introduced. In the event of any changes to or new rules associated with the GDPR, Evidence will review and respond appropriately.
What security controls has Evidence implemented to safeguard my data?
The Evidence Data Security Statement goes well beyond the customary confidentiality clauses found in the business terms of many SaaS providers. The Statement describes some of the specific data security controls that Evidence has implemented and, by publishing the information, legally obligates us to maintain the high standard of data security that’s described in the Statement.
The Data Security Statement can be found here: https://evidence.io/dss/