Updated: May 13, 2018
Approved by the European Commission in 2016 — and effective as of May 25th 2018 — the General Data Protection Regulation (GDPR) is a European privacy law designed to replace the Directive 95/46/EC, which has been the basis of European data protection law since 1995.
The GDPR has been put in place to bring EU privacy law up to speed with recent legal developments, such as the European understanding of privacy as a fundamental human right. It regulates how personal data may be obtained, used and stored, as well as how/when it is removed, with the aim of giving EU citizens and residents more control over their personal information.
With the GDPR in place, companies must:
Any companies found in breach of these rules are subject to heavy fines. As well as updating existing ones, the GDPR adds some new requirements for compliance. As such, enforcement will be a particularly big issue in the months to come after the GDPR comes into effect.
The first thing we should point out is that most reputable companies see all of the requirements of the GDPR as representing responsible business practices. At Chatra we’ve always felt that data privacy is extremely important, and we already have extensive security and privacy measures in place.
Even so, with the May 25th deadline fast approaching, we’re working hard to make sure that these go beyond the requirements of new regulations. At the time of writing, our compliance, privacy and information security teams are done checking off our GDPR to-do list!
You’ll find a few of the measures we’ve been taking outlined below:
We offer a DPA (Data Processing Addendum), which has contractual terms that line up with all GDPR requirements, for any of our customers collecting data from those in the EU. We’ll be adding this to our Terms of Service on May 25th, with no action required on your part.
As a small team with no legal counsel on staff, we regret to say that we’re unable to make individual changes to our DPA or sign customers’ DPAs.
The Chatra team has been meeting once a week, up until the May 25th deadline, to discuss our progress towards GDPR readiness. We’ve also assembled a privacy team comprised of leaders from all areas of our business, from Engineering to Marketing and Ops, and headed up by a DPO (Data Protection Officer).
All employees, existing and new, will be made aware of GDPR regulations. Plus, where appropriate, additional training will be available for all members of our team.
We’ve performed a deep review of all our third party vendors and their GDPR compliance. The result of this assessment is that, from May 25th 2018 onwards, all of our third party vendors are GDPR compliant. We’re also glad to say that many took additional measures to ensure that they were ready for GDPR well before this deadline.
The GDPR states that EU customers must be able to access, update and/or remove personal data. Our self service platform allows you, and has always allowed you, to access both your data and data belonging to your customers. From May 25th 2018 onwards, you can search for and delete any end user conversations from within Chatra. You can also access, update, retrieve and remove personal data concerning “agent” users (including yourself) in your Chatra account.
Please contact our support team if you need to export end user data in a computer readable format.
Our managed data protection impact assessment (DPIA) process, which is a requirement of the GDPR, allows us to identify and minimize the data protection risks of any project. We’ll always collaborate on a solution to address any risk identified, big or small, in order to mitigate its impact on data privacy.
We’ve always taken security and privacy into account when looking at the implementation of new features or changes, discussing the potential impact on privacy and security for Chatra customers, and we’ll continue with this risk assessment process as we expand our offerings.
Since Chatra has always handled a good deal of personal data, we already had a breach management and communication plan in place (and have done so for some time). We have, however, updated this process to comply with GDPR regulations. Specifically, we re-examined the escalation process and approach to data subject notification.
With the threat of increased enforcement and large fines looming, we completely understand why the subject of GDPR makes many business owners worry. We’re happy to work with our customers to address any concerns or questions they might have about how we protect personal data. Don’t hesitate to reach out!