The General Data Protection Regulation of the European Union (GDPR), which takes effect on May 25, 2018, is the European Union’s (EU) comprehensive new privacy law that aims to protect the personal data—and rights related to that data—of persons residing within the EU.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” Your name and email address are both examples of personal data. Any organization that processes personal data of EU residents will be required to comply with the GDPR, whether or not such companies have any physical or legal presence in the EU. Thus, the GDPR applies globally to any organization which collects personal data or monitors the behavioural activity of persons located within the EU.
How Does the GDPR Affect Conversica and Its Customers?
For the purposes of the GDPR, Conversica is a “data processor” (i.e., an organization that processes personal data on behalf of a data controller, typically in the context of providing services to the data controller) and our customers are typically “data controllers” (i.e., individuals or organizations that determine the purposes and means of the processing of personal data). Under the GDPR, individuals whose personal data are being processed are referred to as “data subjects.”
Processors and controllers each have their respective obligations under the law. Therefore, even though Conversica may be in compliance with the GDPR, it does not mean that our customers are automatically in compliance with the GDPR.
Responsibilities of Data Controllers
Data controllers are individuals or organizations that determine the purposes and means of processing personal data. Data controllers bear the primary responsibility for complying with the rights of data subjects and responding to data subjects’ requests under the GDPR. For example, when a data subject makes a lawful request to access, correct, update, delete, or restrict the processing of his or her personal data, the GDPR obliges the data controller to respond and, presuming the request is reasonable and does not infringe the rights of others, to fulfil that request.
Data controllers are also required to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data, to provide information about the personal data being processed, the purposes of that processing, and the third parties to which that information will be transferred, among other things. Finally, the GDPR imposes duties of transparency and “data protection by design and by default,” which require the open, intelligible sharing of relevant privacy information and considering the privacy of personal data when undertaking new initiatives or developing new products or services. These are just a few of the various controller-related provisions of the GDPR.
Responsibilities of Data Processors
A data processor only processes data according to the documented instructions of a data controller. While a processor does have certain obligations to support and assist the data controller in upholding its own obligations, such as informing the controller of requests it receives from data subjects, its relationship to the personal data and the data subjects themselves is comparatively quite restricted.
Conversica’s Compliance with the GDPR
Conversica has engaged VeraSafe, a privacy consulting firm, to assist us with our GDPR compliance efforts, and with their assistance, we are actively engaged in ensuring our own compliance with the GDPR and creating solutions to enable our customers to comply with their own obligations as data controllers under the law.
Conversica has always aimed to maintain the privacy and protection of data subjects in accordance with any applicable data protection laws. This is demonstrated by Conversica’s participation in the EU-U.S. Privacy Shield Framework (“Privacy Shield”).
In anticipation of the GDPR taking effect on May 25, 2018, Conversica has undertaken extensive reviews of its data protection policies, security measures and operational processes to ensure our compliance with the GDPR. Unlike the Privacy Shield, there is no certification process currently available for proving compliance with the GDPR. However, Conversica is taking the GDPR seriously.
Conversica’s GDPR Compliance Activities
Creation of a Data Processing Addendum
In compliance with Article 28 of the GDPR, Conversica is drafting a new Data Processing Addendum (DPA) to our Terms of Service that will govern the terms by which Conversica processes personal data on behalf of our customers. According to Article 28 of the GDPR, data processors must only act upon the documented instructions of the data controller unless otherwise required by law. However, such requirement does not relieve Conversica of any of our obligations or liabilities under the GDPR. By executing our DPA, you will be able to use Conversica’s services confident in the knowledge that personal data is being processed according to GDPR requirements.
Appointment of an Article 27 EU Representative
In accordance with Article 27 of the GDPR, Conversica has appointed VeraSafe as our official representative in the European Union. To ensure compliance with the GDPR, supervisory authorities and data subjects whose data are being processed by Conversica may contact Conversica through VeraSafe on all issues related to our GDPR compliance. The contact details for our Article 27 EU representatives are as follows:
Matthew Joseph, CIPP/US
Prague 150 00
VeraSafe Ireland LTD
Unit 3D North Point House
North Point Business Park
New Mallow Road
Conversica relies on third-party service providers to help provide the Conversica services to you, such as web application hosting services and contact data verification providers. These service providers are also considered data processors under the GDPR, but since they are only processing data on our instructions, we refer to them as subprocessors. Conversica is busily engaged in repapering our contracts with our service providers to ensure that each agreement contains privacy terms that meet the standards of the GDPR.
But we don’t stop there: before we entrust your data to one of our service providers, we are required by the GDPR to confirm that each subprocessor is capable of providing state of the art data privacy and data security. Conversica remains responsible for our customers’ personal data, even when it’s in someone else’s hands.
Protecting Privacy by Design
Conversica has always been a security-conscious company, and going forward every new product development will be designed from inception to implementation with the privacy and security of personal data in mind, a requirement that is central to the GDPR.
Conversica’s Activities to Make Our Customers’ GDPR Compliance Easier
Easier Response to Data Subjects
As data controllers, our customers have additional obligations under the GDPR, including the responsibility to recognize the rights of the data subject enumerated in Chapter III of the GPDR and to respond to objections of data subjects and requests for information, rectification, access and erasure.
Conversica’s goal is to improve our service to make it easier and more efficient for our customers to respond to these requests from the individuals whose data they process. We are in the process of developing internal policies and updates to our settings that will allow a more streamlined approach to our customers’ interaction with data subjects.
The Conversica service already requires minimal data collection in order to function. The only personal data Conversica requires in order for our service to function is the email address or mobile phone number of each intended recipient, making it easy for our customers to minimize their own personal data processing.
For our customers who are regulated by the GDPR, all personal data is deleted by Conversica within 90 days of the termination of their contract with us. We’re currently developing solutions to make it easier for us to assist our customers with deleting their own customers’ personal data from our systems to comply with data subject deletion requests under the GDPR (in compliance with the “right to be forgotten”).
We are committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across Conversica’s suite of services, including data submitted by customers to the Conversica services. This program is executed via a strategic, multi-layered combination of industry best practices, deep industry experience, annual independent audits and partnership with best-in-class providers such as Amazon Web Services. Our systems are tightly controlled on the physical, network, and application levels, and we perform regular security testing and monitoring to ensure consistency and effectiveness.
We hope this information is helpful in understanding the GDPR requirements and Conversica’s GDPR program efforts. If you are a current Conversica customer and would like more information, please contact your customer success manager or email email@example.com
For more information on our compliance with the GDPR, please read this latest post.
Conversica6 hours ago
Conversica3 hours ago
Conversica14 hours ago
Conversica20 hours ago
Conversica22 hours ago