Quick Read about Privacy and Security
GDPR will reshape the way organizations need to approach personal data
We're preparing a new release that will change our default security settings as well as introducing new functionality that will help you to be compliant with new privacy laws that will be in effect in May 2018.
As part of our ISO 27001 certification, we manage the security of our products, data and processes in our ISMS (Information Security Management Systems) which is evaluated during the year by penetration tests and audits. Once a year, the ISMS is audited by BSI for compliance. Last month, our certification was successfully audited, which validates the way our processes work when it comes to infrastructure, software development and data management.
Although this is good news, in analyzing current and upcoming laws and regulations, there are several changes we will introduce in order to increase the security of your data and to help you be complaint with these new government rules. In particluar, we are talking about the new General Data Protection Regulation (GDPR), which will reshape the way organizations need to approach personal data.
Data Processor Agreement
This will become a mandatory step and if you already have one signed by us, no action is required. If you don't we will provide you one which under the new GDPR, will provide you with sufficient guarantees that we have the appropriate technical and organisational measures required to ensure the protection of the rights of user's data.
Terms & Conditions
We will also update our Terms & Conditions, which will require mandatory acknowledgement and agreement before you can use our platform. This will mean that you will need to review and agree with those terms before you can access any functionality in our platform, being it our dashboard or API.
Mandatory 2FA & Password Policy
Next year we will also enforce the use of Two Factor Authentication and enable a Password Policy for all our accounts. We currently support the Google Authenticator app for 2FA, so it will be necessary for you to download and install this app in order to access our dashboard. Each account will also have to comply to our Password Policy which will required you to create a password that match the following set of rules:
- the use of both upper-case and lower-case letters (case sensitivity)
- inclusion of one or more numerical digits
- inclusion of special characters, such as @, #, $
- prohibition of words found in the user's personal information
For increased security accounts will also need to rotate passwords every 45 days without being able to repeat the 2 last combinations. We will announce later this year when this will be enforced so you will have some time to adjust and instruct your organization's staff.
Data Retention Rates
As part of the new GDPR, you will also be required to create, implement and enforce policies within your organization that clearly demonstrate that you make sure personal data is not being retained longer than necessary, in relation to the purpose for which such data is processed. When it comes to Notificare (all your data processors will require one) we will offer you a clear and easy way to set a data lifetime for all the bits of information stored by and for your applications. This will enable you to delete all the user data stored with us after a period of time which you consider is reasonable for your organization. In a nutshell, we will allow you to configure different retention periods for the different types of data we store for you, allowing to decide which data should be kept or deleted.
Data Portability & Removal Requests
Under the GDPR the right of access of a user to his data will be become more onerous for organizations to comply. For example upon a request of access, organizations have a shortened response time and an expanded number of categories of information which must be supplied. To help you tackle these, we will allow you do to a one-click export of all the user data for any user profile stored with us. This data will include all the data associated with a user, from device information, media files to historical location data, so you will be able to quickly export a specific user data in no time. We will also make it easier for you to comply to the right of being forgotten by allowing you to easily delete all the data of a given user.
Finally, the GDPR will also force you to respond quickly and inform the supervisory authority within 72 hours after an eventual data breach that involves personal data. Although we already have in place a proactive monitoring and auditing of our systems in order to communicate any data breach, we will also make sure this process will be streamlined and described differently in order to comply to the new rules of the article 33 of the GDPR.
We understand some of this information might trigger questions so, as always, feel free to let us know yours by sending us an email.