DATAMATION SYSTEMS GENERAL DATA PROTECTION REGULATION & COMPLIANCE
Please review the following information on how Datamation Systems (‘DS’) meets GDPR regulations as part of it’s digital communication with EU members and associated entities for use and protection of contact data and privacy controls.
- No Address Book Storage
DS messaging apps do not store the address book of a user. If an access to the address book is required, then the emails or phone numbers should be converted before a synchronization to one-way encrypted values (e.g. SHA256) that cannot be changed back. These converted values should be used to synchronize and show potential contacts. It is important that these pseudonymized values get immediately deleted from the servers of the enterprise messaging app after the synchronization.
- Minimization and Pseudonymisation of Personal Data
Personal data of users should ideally not be used and not be stored (principle of data economy). If personal data is necessary to provide the messaging service then it should be pseudonymized and encrypted as far as possible in order to meet the GDPR. The data should be changed by the enterprise messaging app with strong cryptographic algorithms in such a way that the resulting data cannot be attributed to a specific user without the use of additional information.
- No Collection or Analysis of Messaging Meta Data
DS does not collect or analyse messaging meta data. The meta data of the messaging communication could be used to generate user profiles and give insights into user behavior. In general there should be no unnecessary collection or analysis of meta data by the enterprise messaging app. Therefore meta data should not be stored unless it is required for specific features of the enterprise messaging app (e.g. multi-device synchronization, message archiving).
- Private Messaging by Design
The GDPR requires that the enterprise messaging app complies with the privacy by design principle. The enterprise messaging app should have been designed right from the start with the inclusion of strong data protection. The app should have been made for messaging and sharing privately with business colleagues and teams, and should give full privacy and compliance control to the enterprise. Datamation Systems enterprise messaging system is part of Google G-Suite platform with RSA encryption key length to 2048 bits. Best in the industry.
- Data Loss Prevention
Google G-Suite allows enterprise configuration of policies to protect sensitive personal data and information on mobile devices, tablets and desktops, and prevent an accidental disclosure that could be in conflict with the GDPR.
- Clear Consent How Personal Data May Be Used
DS provides EU members and associated countries with a clear and affirmative consent to the processing of personal data.
- Transparency of Personal Data Used
In order to be in compliance with the GDPR the enterprise messaging app must provide detailed information what personal data is used, why the usage is required and what is done with the data. An enterprise must have complete transparency on the personal data used by the enterprise messaging app. (Noted in DS GDPR contact approval form)
- No Data Storage or Transfer Outside the European Union
The GDPR demands that the strong level of data protection is not undermined by transferring data outside the European Union (EU). Unless very strong guarantees are in place, data should not be transferred or stored outside the EU. The enterprise messaging app should fully operate in the EU and store and process all data in countries of the EU. With EU member approval, DS stores EU contact data under Google G-Suite platform with RSA encryption key length to 2048 bits.
- Secure Integrations and APIs
Integrations and APIs are potential leaks for personal data. Integrations and APIs could transfer data to other services, outside the EU or to other organizations without the enterprise being informed or in control. An enterprise messaging app must have built all APIs by itself with a strong privacy concept in mind (e.g. no insecure third party integrations should be deployed that might direct personal data via cloud services in the USA). Application integrations and APIs in use are under full control of an DS.
- Data Protection Officer for Compliant Processing
The enterprise messaging app must has data protection officer that is responsible for compliant processing of user data and ensures record keeping requirements in accordance with the GDPR.
- Audit Logs for Internal Record Keeping Requirements
Especially important for the record keeping requirements are audit logs. The audit logs of an enterprise messaging app should give a chronological record of operations and need to keep track of all administrator activities as well as important user events. DS maintains enterprise messaging logs for a period of 5 years.
- Searchable Archives
An archive of the messaging communication of an enterprise is not only required for compliance reasons and audit-proof, but is going to be important for the GDPR as well. If a business needs to find out where personal data has been exchanged, it might be necessary for an enterprise to search the messaging archive. An enterprise messaging app must provide a searchable archive, that can only be accessed by selected data protection officers in order to protect the personal data and comply with the GDPR. G-Suite provides full search and archive management.
- Options for Complete Data Erasure
For the GDPR on the one hand the enterprise messaging app must allow businesses to delete single users and all related personal data. On the other hand the enterprise messaging app must enable businesses to delete older data from the servers and – for example if an enterprise wants to terminate its account – to completely erase all data related to that enterprise from the servers. DS can delete all contact information if requested.
- Portability of Messaging Data
Businesses must be allowed to transfer the messaging data to other services. The enterprise messaging app should provide the communication data in a commonly used machine readable format upon request (e.g. XML, PDF). DS can provide messaging data if requested by relavent legal parties and in accordance with US Federal or State of New Jersey laws.
- Security Breach Monitoring
DS enterprise messaging and online domains have 24/7 monitoring ensuring high service availability and protect against security breaches. With the GDPR the monitoring of security breaches becomes especially critical, because the enterprise messaging app needs to inform its customers and users without undue delay and within 72 hours.If you have questions on any of the above or how Datamation Systems is in compliance with GDPR and meets the data protection requirements of the GDPR, then please contact us.