A previous blog post, titled, GDPR Poised to Send 20,000 Small Businesses to Extinction, discussed many of the regulations and safeguards on how personal data is stored, processed and controlled by companies who do business in the European Union. In this post, we cover the steps CiraSync takes to comply with GDPR regulations, and how we keep your data secure.
There are certain specific requirements for companies, such as Cira Apps Ltd, which is classified as a Data Processor—an entity that stores or transforms data on your behalf. It processes data according to the synchronization rules that a customer specifies. For example, contact lists and shared calendars are exclusively used by the subscriber—CiraSync treats this data to be encrypted and used only for the benefit of the subscriber.
There are four major areas of the GDPR that particularly interest consumers: The right to be forgotten, data portability, data storage compliance, and informed consent. As a note, these rights extend to all users, not just those located within the EU.
Here is how CiraSync handles each of these aspects of the GDPR.
Right to be Forgotten
The right to be forgotten is a cornerstone concept that largely kicked off the push for the GDPR to go through. Simply stated, the right to be forgotten gives any individual user the right to request that all information about him or her to be deleted immediately by any company which stores personal information. This means browsing data, personal information, logon information, financial info…etc must be deleted at the users request. CiraSync complies with this by purging all information related to a user from our servers at their request, without hassle.
Some examples of data that could be requested to be deleted by a company:
- Your entire social media profile and all data about you, including meta information is purged.
- A search engine will remove you from their indexes so that your information no longer is seen in search results.
- Deletion of your information from a company database, such as those used for email marketing or phone solicitations.
There’s a number of different forms in which data can and has been gathered; GDPR gives Data Subjects a significant amount of power over where their data goes, and who can use it.
Finally, the right to be forgotten extends to any information a company may have shared with other companies (As a note, CiraSync will NEVER share your information with other companies) and holds the original company responsible for the deletion of all data, wherever it may have been shared. The goal is to make the process as painless as possible for users who wish to expunge their personal information from a database.
Data Portability requires that companies turn over all personal information they have on an individual at that individuals request. Data must be turned over in a timely, easy-to-read manner for free.
Simply, per a users request, CiraSync will share any and all information on file related to that person. That can be anything from meta-information, advertising data, personal identifying information, etc…
CiraSync data storage for GDPR compliance
One of the larger provisions of the GDPR was their data storage compliance. To put it simply, the GDPR required personal information related to European users be stored on data servers physically located within the borders of the EU.
Here’s what we’re doing at CiraSync to ensure GDPR compliance and protect personal information for customers:
- The company has set up worker servers in an EU data center. All EU data is processed and resides in the EU. This ensures compliance with GDPR Data Residency requirements.
- CiraSync has to read a contact list and then write many dozens or hundreds of times back to user mailboxes. We couldn’t do this without an intermediate database to cache this data. For EU subscribers, all cached user data is now stored on EU servers.
- All Personal Identifying information is encrypted as of Q2 2018.
- The website has been improved to meet GDPR compliance.
CiraSync GDPR Informed Consent compliance
With the GDPR, changes have been made to how companies are allowed to collect user information. Starting in May, when collecting user information, a threshold of Informed Consent must be met.
- In the Past – Companies could actively buy mailing lists, between data mining, general collections, etc a marketing firm could effectively collect users email addresses without their consent.
- In the Present – Companies could no longer (typically) buy email lists, instead, users had to opt in to a mailing list; often by signing up.
- In the Future – Informed consent, IE double opt in. Users have to first opt in to an email, and from there they must then be informed extensively, of how their data will be used, how it will be processed, who will handle it etc etc etc. It creates a rather large barrier to collecting user information. In fact, many marketing firms believe that the average companies mailing lists will drop by over 50%.
Here’s an example of these changes gone live; the first image is our Contact Request Form previously to GDPR.
And, here’s what we’ve changed to be compliant with the GDPR.
Furthermore, even recently opted-in users have to be updated regarding the changes in data policy as per GDPR existing opt-ins no longer pass the bar of what is considered informed consent.
CiraSync takes data security, personal information, and consumer rights seriously. Should you have questions, or wish to exercise your rights extended under the GDPR, file a support ticket here.
More Useful Reads
• Mandatory password update hurts users
• Stirred, not shaken; new tools to defeat robocallers
• GDPR poised to send thousands of businesses to extinction
• SaaS security; how CiraSync keeps user data safe