The EU GDPR contains some of the most significant changes to European data privacy legislation in the last 20 years. It strengthens the right of individuals in the EU to control their personal data and requires organizations to bolster their privacy and data-protection measures. We're excited about the overall GDPR initiative and think it's a very positive step.
Our customers can trust that we have made the GDPR a priority. We devoted significant resources toward our GDPR-compliance efforts in the months before its enforcement (25 May 2018). In this post we'd like to share some of the concrete initiatives and steps we used and will continue to use to ensure our obligations under the GDPR are met.
The GDPR has many requirements about how personal data is collected, stored and used, making it necessary for us to identify and classify the personal data we hold about "data subjects".
We have clearly identified all the personal data we collect
We specifically note that Skedda does not touch or store raw credit-card details. These are managed through the venue's gateway and are never stored on Skedda's infrastructure.
Some personal data is made available to a small set of third-party data processors that we use to support and improve our service. To comply with Article 28 (3) of the GDPR, we have hence completed appropriate Data-Processing Agreements with all of these third-party processors.
We have classified the sensitivity of the personal data we collect
Paragraph 51 of the GDPR states that "Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection...". Such personal data include racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic/medical records, certain kinds of photographs and videos, health and sex life, criminal convictions and offenses, performance at work, economic situation, personal preferences and interests, reliability or behavior and location or movements.
We do not knowingly collect such sensitive data, and our venue terms explicitly forbid venues from entering such data into Skedda.
The GDPR requires that we clearly communicate to data subjects the purpose of collecting their personal data. We must also discontinue processing on request, obtain consent where necessary, receive/process/respond to requests for rectification/erasure/transfer of personal data, and offer data portability in a structured, commonly-used and machine-readable format. Finally, we must restrict the processing of personal data on request.
We are transparent with data subjects about the intended processing of personal data
We will discontinue/restrict processing on request
We have a legal basis for collecting and processing personal data
With respect to paragraph 32 of the GDPR, we already have a legal basis for collecting and processing personal data because we require "a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her". Specifically, this consent is in most cases given by the data subject themselves by ticking a relevant box when they first interact with Skedda (for admins this is either on the product sign-up page or on the login-setup page; for venue users it is either on the registration page, the login-setup page, or as part of the completion of their first booking).
In rarer cases, venue administrators are able to create individual users in their venue account by entering the details of the user manually. Before being able to do so, venue administrators must have agreed to our terms, which state that they must have received consent from the relevant natural person and can present unambiguous evidence of such consent on request from Skedda or from supervising authorities. In general, Skedda recommends that venue administrators send "invitations" to all users so that the consent process is managed directly between Skedda and the user.
We provide mechanisms for the rectification, completion, erasure, or transfer of personal data
The GDPR requires controllers who collect or process personal data to ensure that their activities and supporting technology are built to include data protection and data privacy principles, that they secure personal data, that they establish security controls that ensure the confidentiality, integrity, and availability of personal data, that they detect and respond to data breaches, and that they facilitate the regular testing of security measures.
We design with data protection and privacy by default
Our core service and hosting platform, Microsoft Azure, is audited at least annually against several global data privacy and network security standards, including ISO/IEC. Our product team and operations team consider privacy and data protection as "non-negotiables" when designing new features and performing refactorings.
We ensure security, confidentiality, integrity, and availability of personal data using state-of-the-art technological measures across our full stack
Our document on data protection and security provides detailed information on the technological measures we have in place to secure and protect data across the full stack of our services. The basic idea is to have "defense in depth", that is, multiple layers of redundant security measures (each of which is tested separately). These measures include but are by no means limited to Transparent Data Encryption (TDE) on our database and strict HTTPS communication between clients and servers at all layers.
We have advanced mechanisms in place to help us defend against personal data breaches and notify the relevant authorities should one occur
As described in our document on data protection and security, we have deployed detailed auditing on our production database. Additionally, advanced threat-detection has been deployed, which automatically detects anomalous access and potentially vulnerable queries (e.g. SQL injection). Our operations team is notified immediately in the unlikely event that such a breach should occur. In such a case, we are committed to notify data subjects (venues and end-users) and notify and provide information to regulators within 72 hours.
We have processes in place to regularly test the security of our service stack
Our current automated suite of unit, integration, regression and acceptance tests covers the security measures we have in place across our full stack. Product deployments/updates are not made unless all automated tests pass.
In some cases, security measures are provided by our hosting provider (Microsoft Azure) and are tested by this provider.
Finally, we regularly engage independent security contractors to assess the security of our services, and prioritize security fixes above everything else in our development methodology.
The GDPR requires that an audit trail be maintained to demonstrate GDPR-compliance to supervising authorities. It also limits third-country data-transfers to situations where required safeguards are in place. It furthermore requires that we track and record transfers of personal data to third-party service providers.
We have setup record-keeping of data-subject requests
These records will contain both the nature of the request (for example, to view or rectify personal data) and their resolution. These records may be requested by supervising authorities to prove that we are complying with GDPR requirements.
We transfer personal data outside the EU with adequate safeguards
We have completed Data-Processing Agreements (DPAs) with our data processors to ensure that all data transfer is performed with adequate safeguards. For example, we move data outside the EU within the Microsoft ecosystem, which has implemented EU Model Clauses and is certified to the EU-US Privacy Shield framework.
We have completed Data-Processing Agreements with our third-party service providers
We have completed Data-Processing Agreements (DPAs) with our third-party service providers (data processors) to ensure that they likewise meet the requirements of the GDPR.
We are offering Data-Processing Agreements to all our customers ("venues")
We are happy to enter into a Data-Processing Agreement with any organization that has a Skedda venue account and that requires such an agreement for their own GDPR-compliance purposes. In general, we recommend that all venues with users/customers in the EU sign this agreement with us. Please contact us at [email protected] if you wish to sign such an agreement with Skedda.