The EU GDPR (and now the UK GDPR) contains some of the most significant changes to European data privacy legislation in the last 20 years. It strengthens the right of individuals in the EU to control their personal data and requires organizations to bolster their privacy and data-protection measures. We're excited about the overall GDPR initiative and think it's a very positive step. 

Our customers can trust that we have made the GDPR a priority. We devoted significant resources toward our GDPR-compliance efforts in the months before its enforcement (25 May 2018). In this post we'd like to share some of the concrete initiatives and steps we used and will continue to use to ensure our obligations under the GDPR are met.

The GDPR has many requirements about how personal data is collected, stored and used, making it necessary for us to identify and classify the personal data we hold about "data subjects".

Skedda is a single product with a tightly-focused scope. The personal data we collect is clearly mentioned in our privacy policy. We collect only those data we consider necessary for a booking system that offers a high level of useful functionality, reliability, security and support. 

We specifically note that Skedda does not touch or store raw credit-card details. These are managed through the venue's gateway and are never stored on Skedda's infrastructure.

Some personal data is made available to a small set of third-party data processors that we use to support and improve our service. To comply with Article 28 (3) of the GDPR, we have hence completed appropriate Data-Processing Agreements with all of these third-party processors (including the EU Standard Contractual Clauses where required).
​

Paragraph 51 of the GDPR states that "Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection...". Such personal data include racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic/medical records, certain kinds of photographs and videos, health and sex life, criminal convictions and offenses, performance at work, economic situation, personal preferences and interests, reliability or behavior and location or movements.

We do not knowingly collect such sensitive data, and our venue terms explicitly forbid venues from entering such data into Skedda.
​

The GDPR requires that we clearly communicate to data subjects the purpose of collecting their personal data. We must also discontinue processing on request, obtain consent where necessary, receive/process/respond to requests for rectification/erasure/transfer of personal data, and offer data portability in a structured, commonly-used and machine-readable format. Finally, we must restrict the processing of personal data on request.

The intended processing of personal data is covered in detail in our privacy policy.

Our privacy policy has been updated to reflect that Skedda will respect a data subject's rights to have the processing of their personal data discontinued or restricted. In doing so, we will work with both the data subject and any associated "venues" to ensure that their legal requirements for auditing/tax/business are not negatively affected. We will also forward the request to any of our third-party processors as required.

Note that our privacy policy also includes information about the length of time we store data-backups and log data, and hence the practical length of time after which storage and processing is fully discontinued.

With respect to paragraph 32 of the GDPR, we already have a legal basis for collecting and processing personal data because we require "a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her". Specifically, this consent is in most cases given by the data subject themselves by ticking a relevant box when they first interact with Skedda (for System users this is either on the product sign-up page or on the login-setup page; for venue users it is either on the registration page, the login-setup page, or as part of the completion of their first booking).

In rarer cases, venue administrators are able to create individual users in their venue account by entering the details of the user manually. Before being able to do so, venue administrators must have agreed to our terms, which state that they must have received consent from the relevant natural person and can present unambiguous evidence of such consent on request from Skedda or from supervising authorities. In general, Skedda recommends that venue administrators send "invitations" to all users so that the consent process is managed directly between Skedda and the user.

Our privacy policy now includes details for how data subjects can exercise these particular rights under the GDPR.

The GDPR requires controllers who collect or process personal data to ensure that their activities and supporting technology are built to include data protection and data privacy principles, that they secure personal data, that they establish security controls that ensure the confidentiality, integrity, and availability of personal data, that they detect and respond to data breaches, and that they facilitate the regular testing of security measures.

Our core service and hosting platform, Microsoft Azure, is audited at least annually against several global data privacy and network security standards, including ISO/IEC. Our product team and operations team consider privacy and data protection as "non-negotiables" when designing new features and performing refactorings.

Our document on data protection and security provides detailed information on the technological measures we have in place to secure and protect data across the full stack of our services. The basic idea is to have "defense in depth", that is, multiple layers of redundant security measures (each of which is tested separately). These measures include but are by no means limited to Transparent Data Encryption (TDE) on our database and strict HTTPS communication between clients and servers at all layers.

As described in our document on data protection and security, we have deployed detailed auditing on our production database. Additionally, advanced threat-detection has been deployed, which automatically detects anomalous access and potentially vulnerable queries (e.g. SQL injection). Our operations team is notified immediately in the unlikely event that such a breach should occur. In such a case, we are committed to notify data subjects (venues and end-users) and notify and provide information to regulators within 72 hours.

Our current automated suite of unit, integration, regression and acceptance tests covers the security measures we have in place across our full stack. Product deployments/updates are not made unless all automated tests pass. 

In some cases, security measures are provided by our hosting provider (Microsoft Azure) and are tested by this provider.

Finally, we regularly engage independent security contractors to assess the security of our services, and prioritize security fixes above everything else in our development methodology.

The GDPR requires that an audit trail be maintained to demonstrate GDPR-compliance to supervising authorities. It also limits third-country data-transfers to situations where required safeguards are in place. It furthermore requires that we track and record transfers of personal data to third-party service providers.

These records will contain both the nature of the request (for example, to view or rectify personal data) and their resolution. These records may be requested by supervising authorities to prove that we are complying with GDPR requirements.

We have completed Data-Processing Agreements (DPAs) with our third-party service providers (sub-processors) to ensure that they likewise fulfill their obligations under the GDPR.

The Data-Processing Agreements (DPAs) we have executed with our sub-processors include the Standard Contractual Clauses where required to ensure data transfer is performed with adequate safeguards.

We are happy to enter into a Data-Processing Agreement (based on the UK or EU GDPR) with any organization that has a Skedda venue account and that requires such an agreement for their own GDPR-compliance purposes. In general, we recommend that all venues with users/customers in the EU/UK sign this agreement with us. Please contact us at info@skedda.com if you wish to sign such an agreement with Skedda.