In 2018, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). The GDPR is the biggest change in data protection laws in Europe since the 1995 introduction of the European Union (EU) Data Protection Directive, also known as Directive 95/46/EC. The GDPR aims to strengthen the security and protection of personal data in the EU and will replace the Directive and all local laws relating to it (this new standard went into effect on May 25, 2018). This means that Discuss.io stands ready to support and assist its clients residing in the EU as they also meet their own obligations under the GDPR.
Discuss.io welcomes the arrival of the GDPR. The new, robust requirements raise the bar for data protection, security, and compliance, and will push the industry to follow the most stringent controls, helping to make everyone more secure.
Below is the work that Discuss.io is doing to help customers with the GDPR as part of our continued commitment to help ensure they can comply with EU Data Protection requirements.
To comply with GDPR, companies who handle EU-based residents' data need to comply with the following important requirements:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Have transparent policies regarding how they process data
- Train employees based on the type of data they handle
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
How Discuss.io Handles GDPR for MR Professionals
Discuss.io is staying ahead of the GDPR changes, both in its role as a data processor and in support of data controllers. Discuss.io efforts include:
- Providing a great software platform that allows client companies to comply with the GDPR requirements while maintaining a superior user experience.
- Deploying industry-standard technical processes and procedures that protect data, both when it is in transmission and while we are hosting it.
- Providing a hosting center and data collection network. We selected world-class service provider Amazon Web Services (US-East). Their stringent standards for data protection and security made them our choice for all of our customer data, including customers in the United States and the EU.
- Working with EU and U.S. legal counsel to develop a Data Protection Agreement (DPA) that complies fully with the GDPR. This DPA, which will be the contract with all clients who are data controllers under the GDPR, also incorporates the European Model Clauses, also known as the Standard Contractual Clauses. (The Model Clauses were approved by the European Commission and are the industry standard for when personal data is transferred outside of the European Economic Area.)
- Being certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. This certification also ensures that we comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
- Following the GDPR definition of acceptable timelines when processing data subjects requests, whether it’s consent withdrawal, restricting processing, providing access, transferring their data or erasing it. We will also provide prompt notification in the event of a data breach.
- Staying abreast of continuing GDPR developments and guidance, to support our clients’ compliance efforts.
What you can do to protect your MR data under the GDPR
While it’s always a great time to think about improving data security, the GDPR deadline provides a good target for reviewing your organization’s privacy and security policies and evaluating how you put them into practice. While Discuss.io has yet to have a data breach from hacking, there have been instances where individual customers have been careless with their login credentials or access permissions.
The best protection of personal information comes from a combination of continuously updated technology, thorough training for employees who handle and have access to personal data, and seamless communication about new requirements. Discuss.io addresses each of these concerns with our features and support, and we will continue to support our clients as regulations evolve.
For more information on the upcoming GDPR changes, visit the official EU homepage.
Frequently Asked Questions
How does Discuss.io handle system, project, and meeting room access?
The Discuss.io application is restricted to registered users only. Moderators and support role users must be authenticated in order to join a session. Other roles allow guest access by unauthenticated users.
Project access in the application is restricted to the project owner and their authorized collaborators, in addition to system administrators.
How do users provide consent for data processing?
Unauthenticated users consent to the processing of their data prior to joining a session. Authenticated users consent to data processing during account creation. This consent is timestamped and stored in our database.
Where is the platform hosted and where is data stored?
The platform is hosted, and data is stored, in the US. As a member of Privacy Shield, we are currently compliant with EU data restrictions, per the latest 2017 review. We will address any concerns raised by the new European Data Protection Board as they arise. You can read more in the statement by the current EU governing body regarding Privacy Shield.
What is your data retention policy?
Data is currently stored indefinitely. In preparation for and in accordance with GDPR guidelines, we intend to implement a 7 year retention policy for archived elements such as transcripts and video archives. Data required only for the organization and execution of the session, such as respondent Personal Data and screening responses, will be destroyed upon project completion. At any time, EU data subjects may request the deletion of their data, and Discuss.io will do following the GDPR guidelines, as well as notify all project owners and project collaborators of the need to destroy any downloaded copies of the project materials. To request data removal, please email firstname.lastname@example.org.
What is your data backup and archival policy?
Our database is a multi-AZ Amazon AWS RDS instance for resiliency with a separate read replica for availability. Automated backups are taken daily and retained for 7 days, as well as at the time of a production release. Video data is stored in AWS S3. We retain the source composite as well as the processed video and clips. Retention policy is per GDPR or customer request, whichever is sooner.
What data is provided to us as a client and how is it transferred to us?
Respondent screening information is currently stored using Google Cloud Services and sent via email, using the latest standard email encryption protocols. We do not further encrypt or restrict access to this information. Clients never have access to Respondent contact information or surnames.
Our entire application is served via HTTPS -ie. all traffic is encrypted via TLS. The application does not send data to customers - customers must make requests for data. Customers are able to view and download data via the application (HTTPS-secured). Data stored in Amazon AWS S3 is encrypted at rest, as is our database.