EZOfficeInventory is fully GDPR compliant.
This post will take you through what this means, and shed light on the functionality we’ve added to become compliant to the General Data Protection Regulation (GDPR).
What role do I play within the GDPR compliance framework?
In order to understand your place within this regulation, we need to flesh out three roles:
- Data Processor: The body that processes personal data on another body’s behalf.
- Data Controller: The body that determines the purpose and means of processing the personal data provided.
- Data Subjects: The individuals whose data is being processed.
There are two ways in which the GDPR terms might apply to you.
- You as the Data Subject:
You are a citizen of the European Union and your data is being stored in EZOfficeInventory. That makes you our Data Subject. Therefore, we must abide by the terms of our GDPR compliance to ensure we respect your data rights.
- You as the Data Controller: We are the Data Processor, processing the data of your end users on your terms. This makes you the Data Controller, and your end users (such as staff and vendors) the Data Subjects. Therefore, you must abide by the terms of GDPR to ensure you respect the data rights of your end users.
- You as the Data Subject:
In short, EZOfficeInventory is not only GDPR compliant itself, but also enables you as a Data Controller to become GDPR compliant. You can read on to see how this plays out with reference to the new functionality we’ve added to EZOfficeInventory.
How did EZOfficeInventory become GDPR compliant?
EZOfficeInventory appointed a Data Protection Officer in mid-2017. Our Data Protection team followed industry best practices to draft a roadmap to GDPR compliance. This included mapping data flows into and from our organization, and using this to identify risks in our data processing workflows. We then began carrying out the necessary data protection impact assessments, all of which ultimately culminated in the following:
We take your data security extremely seriously. To this end, we have combined new and existing security features to lower the chances of data breaches – either at our end or at the hands of Data Subjects.
- We are ISO 27001 certified. This is an international standard describing best practices for all information security management systems.
- All the data we process is encrypted using the AES-256 encryption specification.
GDPR Compliance: You as a Data Subject
We’re providing you as a Data Subject with a list of tools that can help you with your data rights. These tools will provide you with:
- The ability to view or edit your profile information that has been added to EZOfficeInventory.
- The ability to receive information on any data collected on you, including the purpose of gathering the data, and the duration for which it will be stored by us.
- The right to call for the access, alteration, or deletion of said data.
- The right to opt into certain features, such as email marketing, newsletters, Super User access, etc.
- The ability to send complaints and queries specifically related to the GDPR directly to the EZOfficeInventory Data Protection team.
Data is backed up every 8 hours. Customer’s data remains in the backups for 6 months after termination of their account. If a customer wants their data to be removed from the backups they must send in a request to email@example.com
GDPR Compliance: You as a Data Controller
We’re also providing you as a Data Controller with a list of tools and features that can enable you to achieve GDPR compliance with ease. These provide you with:
- The ability to log the details of your Data Protection Officer and EU Representative.
We already have rich features in place to support the management of our customers’ data. To expand on this functionality for GDPR compliance, however, we’ve added the following new features:
Declaration of Consent:
You will be able to inform relevant Data Subjects – such as users and vendors – that their information is going to be kept in the system. For this purpose, we’ve extended your ability to send confirmation emails to all such parties, such as:
- Users registered through LDAP/SAML
- Non-login users (that is, users who don’t have the ability to log into the system)
- Vendors created
These emails also prompt users to choose whether they would like to receive notifications from EZOfficeInventory.
Data Subjects will be provided the right to data portability. This means they can request access to all their data. For this purpose, we’ve extended your ability to export data by adding the following categories to EZOfficeInventory reports:
Data Subjects can request that all their data is deleted from the system. The GDPR refers to this as ‘the right to be forgotten’. We have a new deletion feature out to accommodate this.
In order to preserve the integrity of our users’ data, however, in some cases, we simply redact personally identifiable information so that your records remain consistent. This happens in cases when individuals are associated with purchase orders, work orders, services, items, or any other items that might affect our customers’ data history.
Have any questions?
We’re committed to protecting your digital rights. If you have any questions around this issue, feel free to write to us at firstname.lastname@example.org