Brace yourselves, GDPR is coming!
On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force, impacting how businesses collect and process data from individuals.
Omnify is fully committed to being compliant prior to the date GDPR goes into effect. We’ve always taken data privacy and security seriously while building Omnify.
Omnify’s GDPR program comprises of evaluation and updation of our existing Privacy Policy, review, and updation of our internal data handling and review agreements with customers and suppliers.
Let’s start at the beginning:
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union.
There are 3 stakeholders in the relationship:
- The data subject: the person that is the subject of the personal data. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address
- The data controller: A controller is an entity that determines the purposes, conditions, and means of the processing of personal data
- The data processor: the processor is an entity which processes personal data on behalf of the controller.
Omnify is a data controller as well as a processor.
Now, the GDPR grants the following rights to the data subjects.
- The subjects have the right to be informed. The data controller and processor must be transparent in how they are using personal data of the subject.
- Data subjects must have the Right of access and know what personal data is held about them and how it is processed. Where reasonably possible, data subjects must be able to edit their personal data.
- The right to be forgotten or Right to erasure allows the subject the right to have their personal data permanently deleted upon their request.
- Data subjects have the right to block processing of their personal data.
- Subjects have the right to data portability which means they have the right to export all their data and port it to other data controller
What is Omnify doing about it?
- Information
Omnify is fully committed to the general policy of openness about how and where we store personal data, practices, and policies with respect to personal data. We have shared more on this in the last part of the article.
- Consent
Omnify will take consent before collecting any information from the data subject. We will make sure that consent is clear and distinguishable from other matters and provided in an intelligible and easily accessible form. Parental consent will be required to process the personal data of children under the age of 16 for online services.
- Breach Notification
Omnify is aware of the GDPR rules and regulations around breach. Omnify is committed to notifying customers in all member states in case of a data breach within 72 hours of first having become aware of the breach.
- Right to Access
As their rights, data subjects will be able to obtain information as to whether or not personal data concerning them are being processed, where and for what purpose. Further, Omnify shall provide a copy of the personal data, in an electronic format, when asked for.
- Data Erasure
The data subject will have the liberty to request to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability
Omnify will facilitate data portability wherein the data subject to receive the personal data concerning them and have the right to port that data to another controller.
- Privacy by Design
At Omnify, we have always been big believers in Privacy by Design Policy. As controllers, we hold and process the data that is absolutely necessary for the completion of its duties, as well as limiting the access to personal data to those needing to act out the processing.
The Openness Principle
Definitions and Data Collected
- Customer data
Omnify’s customer is the person who has created an account in Omnify and has their business hosted. Omnify collects the following information from our customer- First Name, Last Name, Email, Phone Number, Location, Picture
- Team Member data
Team Members are additional members added by the customer to their business. Omnify collects the following information from a client- First Name, Last Name, Email, Phone Number, Location, Custom field data set up by the customer.
- Client data
A client is the person who has created an account with the customer’s business, aided by the customer in their CRM, has made an inquiry from the customer’s omnify service to store or has purchased any services from the client. Omnify collects the following information from a client- First Name, Last Name, Email, Phone Number, Location, Custom field data set up by the customer
- Booking & Sales Data
Omnify collects the following data First Name, Last Name, Email, Phone Number, Location, Custom field data set up by the customer, Time & Date of Booking, Price etc
- Family Member’s Data
If a member is above 13 years of age, Omnify collects the following data First Name, Last Name, Email, Phone Number, Location, Custom field data set up by the customer, Time & Date of Booking, Price etc. If a member is below 13 years of age, a parental contest is collected and Omnify only collects the following data First Name, Last Name, Custom field data set up by the customer.
Omnify collects minimal data, protected with appropriate security measures, and encryption of personal information.
Data Hosting
Data is hosted by data centers qualified by global IT standards and regulations. All Omnify’s data is securely hosted on Amazon Web Services(AWS) data centers in the USA. The server infrastructure is PCI DSS 3.2 Level 1, ISO 27001, SSAE 16 and ISAE 3402 compliant.
Backup and logs
Omnify maintains a robust backup plan where data is stored in a secure location and multiple data backups are retained for a stipulated period and then removed from the system. All personal data is stored and transferred in compliance with applicable global regulations. Application and customer logs generated as part of services provided are maintained as per established retention limits. Post this period, data records are scheduled for auto-removal.
Processing Data
Omnify’s processes data necessary for delivery of services in a fair and lawful manner. Personal data is processed in a manner that ensures security and confidentiality of personal data, including prevention of unauthorized access to or use of this data. User authentication and profile data are collected and processed within Amazon Web Services(AWS) secure environment.
Service Partners
Omnify partners with organizations, that like itself adhere to global standards and regulations.
We will keep updating this post with more information around data protection and GDPR. If you have any questions, drop us an email at privacy@getomnify.com.
Our Privacy Policy will be fully updated on 30 Apr 2018.
THE END.
Learn more about how Omnify is getting ready for GDPR and updating it's data protection policies- Omnify Blog