In May 2018, GDPR legislation will become law and will affect all organizations that have business relationships with EU data subjects. We at Reply.io are committed to make our product and organization compliant with these new set of rules and, in the process, will also help our customers to prepare.
We already undergoing changes in processes, policies, and infrastructure to make that happen. Some of most common topics and questions regarding GDRP and EU-US privacy shield covered in this article were created to help customers and partners understand where we are currently and what to expect.

Discover personal Data

Search for and identify personal data
For Reply.io, personal data of our customers stored in our application is located in Azure Cloud and in internal systems needed for operations that are also cloud applications. We've made internal policy changes to ensure that there is no personal data stored locally by employees outside of this scope. For data that belongs to our customers as controller in their accounts, it is only stored in Azure cloud. It is recommended for customers to access their infrastructure as this is their responsibility to handle personal data in their accounts. 

Categorization
We do not make a conscious effort to collect personal data of specific groups, such as information about persons under 18 years of age, for example that are specifically mentioned in GDPR regulations.

Maintain an inventory of personal data holdings
Currently, we have a clear separation of personal data about our employees and customers used in number of systems (CRM, Intercom, Reply application, Slack).  Personal data of data subjects in customer accounts are stored and processed only in the Reply application. Outside of the Reply application, we use and process such data only as aggregated for analysis purposes.

Manage data

Enable data governance practices and processes
We are in progress of developing a scope of processes that will affect many departments and respect data subject rights under the GDPR ruling and how we handle them.

Provide detailed notice of processing activities to data subjects
We developed a ‘Trust’ page on the website with an updated privacy policy that will cover how we use data of our customers as controller. There is also an explanation of how personal data in their Reply accounts will be processed (as processor). 

Discontinue processing on request
On the ‘Trust’ page there will be a request form and we are implementing a process to stop processing personal data of data subjects and notify data controllers (customers).

Collect unambiguous, granular consent from data subjects
We will use personal data of our customers and employees under the ‘legitimate interests’ clause as it's needed to fulfill our contractual obligations or to provide customer support in using the Reply platform. For data subjects in our customers accounts, it is their responsibility as data controllers to obtain consent or use other reasons (compliant with GDPR) to get and store personal data. We, as processor, are here to help respect the rights of data subjects and provide info on how we process such data.

Facilitate communication mechanism between data subject and organization to handle data subject requests
We are working to launch the 'Trust' page on our website, Reply.io, by Mid April  where request forms will be located to post requests regarding GDPR or EU-US privacy shield. Our DPO or Customer Support team will communicate via email or support chats about these topics.

Rectify inaccurate or incomplete personal data regarding data subjects
On the ‘Trust’ page, there will be the ability to post such a request (and also request to provide data that we store on data subjects) and we will respect it.

Erase personal data regarding a data subject
On the ‘Trust’ page, there will be the ability to post such a request (and also request to provide data that we store on data subjects) and we will respect it. In April, we will implement internal process as to how we will fulfill such requests.

Provide data subject with their personal data in a common, structured format
On the ‘Trust’ page, there will be the ability to post such a request (and also request to provide data that we store on data subjects) and we will respect it.

Restrict the processing of personal data
On the ‘Trust’ page, there will be the ability to post such a request (and also request to provide data that we store on data subjects) and we will respect it.

Review data processing conducted by automated means
On the ‘Trust’ page, and in privacy policy, we will highlight cases in which we use automated means of processing personal data or profiling it.

Appoint a Data Protection Officer (DPO)
By May 1, 2018,  we will appoint a DPO and his/her contacts (with contacts of our representative in EU and 3rd party company that will provide independent recourse mechanics for EU-US privacy shield) and will be available on the ‘Trust’ page. 

Protect data

Data protection and privacy by design and default
As part of going through GDPR compliance implementation, we've reviewed, our internal policies and how we approach building new value for customers with privacy in mind.

Secure personal data through encryption
By May 1st, we are planning to use encryption for data stored in the Reply application in Microsoft Azure cloud (subject to technical or performance limitations).

Secure personal data by leveraging security controls that ensure the confidentiality, integrity, and availability of personal data
A three way approach is currently are taking place. First, we've updated our internal employee policies to grant access to needed roles and limit breach possibilities. Secondly, processes to respect GDPR rules are in implementation. Finally, technical improvements in infrastructure, such as  the Azure key vault and DB encryption, are planned until May 25th.

Prepare for, detect, and respond to data breaches
Process and policies we develop right now will cover how we communicate about possible breaches while technical improvements should limit such risks.

Facilitate regular testing of security measures
During 2017, we undertook a 3-month period of intensive application security testing and fixed 15+ vulnerabilities. After May 2018, another such period will be planned to analyze the current situation.

Report

Keep record to display GDPR compliance
We store data in processed or raw formats and have a list of processing activities that can be combined for each record, if needed.

Track and record flows of personal data into and out of the EU
To cover such flows, we've applied and are currently in the process of self-certification for the EU-US privacy shield program for migration of data between the EU and the US. Also our employees (or contractors) will sign contracts with contractual clauses that will cover transfer of data to countries other than these covered by EU-US Privacy shield. Data that moves through integrations in our customers accounts, belong to them as data controllers, as well as these connected accounts. To make sure such applications cover compliant record flows of personal data, customers should consult representatives of these organizations.

Track and record flows of personal data to third-party service providers
Personal data of our customers or employees that moved to third party providers (such as our internal systems that are needed to automate company operations) are stored there and can be accessed or deleted at any time. We also have log tracks of data flows from the point where we collected this data to third party systems (if such transfer occurred).

Facilitate data protection impact assessment
As of right now, we have implemented the first wave of processes and technical changes needed to be compliant. After that, we will consider taking the data protection impact assessment.

Did this answer your question?