The General Data Protection Regulation (GDPR) is the European Union's new data protection legislation designed to protect the privacy rights of EU individuals. The GDPR aligns fragmented privacy legislation across EU member states and is the most significant regulation to address modern privacy concerns. The regulation replaces the current EU Data Protection Directive (Directive 95/46/EC). ScheduleOnce is ready for the changes and here to help our customers comply with the new regulations.
Who does it affect?
The GDPR applies to organizations that process the data of EU individuals (even if the business is not EU-based). GDPR regulated data can be stored outside the EU, however, data exports must meet additional requirements to ensure compliance. For example, there must be assurances that the country of transfer provides adequate protections for the data. ScheduleOnce participates in the Privacy Shield program, demonstrating that suitable controls are in place to meet this GDPR requirement.
The GDPR includes key principles for data protection:
Purpose limitation ensures that data is processed for the purpose that was originally intended. For example, at ScheduleOnce, we only use the data we store to provide you with our services. We will never use your data for any other purpose.
Data minimization and retention ensures data is only collected and retained as necessary. For example, ScheduleOnce allows you to configure the data you wish to collect and data is deleted from our databases when you stop using our service.
Data security is a key principle that ensures appropriate technical, administrative and physical safeguards are in place to protect your data from unauthorized access. ScheduleOnce has a comprehensive security program that employs a multi-layered control system, designed to protect your data. For example, we continuously monitor our servers for suspicious activity and use advanced threat detection technologies to secure data.
Individual rights are enforced by the GDPR. An individual has the right to access, retrieve and modify their data. Individuals also have the “right to be forgotten” and for their data to be deleted. ScheduleOnce provides the mechanisms necessary for data subjects and controllers to exercise these rights.
What is ScheduleOnce doing?
The GDPR is a comprehensive regulation and ScheduleOnce is committed to meeting the new requirements. ScheduleOnce is working hard with VeraSafe, privacy experts to ensure we are compliant.
As part of our commitment, we made the ScheduleOnce data processing addendum (DPA) available to our customers. The DPA is a contractual obligation to satisfy GDPR requirements such as the breach notification and data security articles.
GDPR regulated businesses must appoint a data privacy officer (DPO) and an EU representative. ScheduleOnce has nominated VeraSafe to represent ScheduleOnce in the EU and we have designated an internal data privacy and security officer to oversee our compliance operations.
We have reviewed our breach notification processes and established controls to ensure data controllers are notified should a privacy incident occur. Notification will be within 72 hours of ScheduleOnce becoming aware of the issue, inline with the GDPR definitions
The ScheduleOnce DPA will include a reference to the sub-processors used to provide our services. All sub-processors have been reviewed for GDPR compliance and ScheduleOnce will offer data controllers the opportunity to object should a new sub-processor be introduced.
These are just some examples of the efforts we have invested in preparation for the GDPR. We are committed to compliance, and helping our users with their compliance needs.
To learn more about ScheduleOnce's compliance with the GDPR, read our ebook: A practical guide to using ScheduleOnce in a GDPR compliant manner
Rate this article