GDPR Policy Notice
May 23, 2018
The General Data Protection Regulation (“GDPR”) is a comprehensive new data protection law passed by the European Union (EU) that becomes effective on May 25, 2018. The legislation is designed to strengthen the data protection rights for individuals located within the EU. PeopleMetrics has taken the proper measures to be GDPR compliant when enforcement begins on May 25, 2018. At PeopleMetrics, we are fully committed to privacy, security and data protection for all our customers’ data.
The following information outlines certain key principles of GDPR and what we have done to prepare ourselves to meet GDPR requirements. Please note that this document does not provide legal advice and should not be used as such.
GENERAL DATA PROTECTION REGULATION
GDPR replaces Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (PII (US)) and on the free movement of such data) is a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union.
The European Union (EU) enacted GDPR to govern the collection, processing, use and storage of personal data of these protected individuals in a manner designed to unify data privacy requirements across the EU. The EU designed the legislation to provide EU citizens with greater protections and rights as individuals and PeopleMetrics fully supports these new, comprehensive safeguards.
- “Data subject” is defined under GDPR for personal as “any information concerning an identified or identifiable natural person.” This includes the name, identification number, online identifier, location, and an individual’s economic, cultural, social, physical, physiological, genetic, and mental identity.
- “Processer” (PeopleMetrics) includes a legal or natural person, agency, public authority, or other body that processes personal data on the behalf of a Controller.
- “Controller” (PeopleMetrics customers utilizing our SaaS Platform to ingest personal data of persons located within the EU) includes any agency, public authority, legal person, or other body responsible for determining the reasons and means for processing personal data.
- KEY CHANGES UNDER GDPR
Below are some of the material changes occurring to the previous set of data protection laws applicable in the EU when GDPR becomes effective:
- Expanded rights for individuals
GDPR expands the rights of individuals (Data subjects) in the EU, which gives them more control over data and enables them amongst other things the ‘right to be forgotten’ and ‘portability’ (give me what you have on me, please and thank you). The PeopleMetrics SaaS Platform contains tools that allow our customers to comply with any such requests, and PeopleMetrics is ready to assist our customers in addressing any such requests that come in from their customers.
- Compliance obligations
GDPR states that formal binding agreement should be executed between the Controller and Processor of personal data (called a Data Processing Agreement, or DPA). The DPA should describe the data processing activities being carried out. PeopleMetrics has worked with our outside counsel to update our DPA to be fully GDPR compliant and is proactively offering it to all customers that are not already party to it as a result of their agreeing to the Company’s terms of service. To view this DPA, please email GDPR@peoplemetrics.com.
- Security and compliance
Under GDPR, organizations must implement appropriate security measures, policies and protocols, perform a privacy impact assessment, and maintain detailed records of data processing activities. As part of a recent SSAE 18 SOC 2 audit completed in April 2018, PeopleMetrics evaluated its current security measures, policies and procedures to ensure that we are compliant with GDPR security requirements. GDPR also requires a privacy impact assessment, which we concluded to determine our compliance with specific requirements relevant to the type of software-as-a-service we provide our customers. Lastly, we have taken steps to ensure our records for data processing activities are aligned with GDPR provisions.
Violations under GDPR apply to Controllers and Processers, depending on the violation, fines can be imposed by the DPA up to 4% of annual global turnover—or €20 million—whichever is greater.
- WHAT ACTIONS ARE WE TAKING
- PeopleMetrics has assembled a GDPR working group comprised of members of our Legal, Technology, Information Security, Operations, and Development teams, along with a panel of outside experts, to ensure we evaluate and adhere to all GDPR requirements.
- As a Processor of data of persons located within the EU on behalf of our customers, in anticipation of GDPR, we have reviewed and updated where needed our terms of service as well as our Data Processing Agreement to comply with GDPR standards.
- Our team has evaluated our current products and services to ensure we are able to support the various GDPR defined rights of individuals including, among others, the ‘right to be forgotten’ and ‘portability’ requirements that will be applicable upon the request of such individuals. For future products, we are ensuring we apply Data Protection and Design principles throughout our software development lifecycle.
- PEOPLEMETRICS GDPR ACTIONS AND STATUS
- Create GDPR committee to ensure compliance (DONE)
- Review and modify Services Agreement, including seeking expert consultation on GDPR (DONE)
- Data Protection Officer appointment (DONE)
- Research business and product impacts because of GDPR (IN PROGRESS)
- Identify changes or improvements to data privacy policies to consider GDPR, thoroughly test, and document (DONE)
- Create a Data Processing Agreement (DONE)
- Communicate revised services terms to customers (IN PROGRESS)
- Complete a DPIA to determine which function is Controller or Processor specific (DONE)
- PeopleMetrics will work with our customers (Controllers) and shall process personal data in a manner that is designed to ensure security and confidentiality, as well as in a fashion that provides fairness and transparency.
- PeopleMetrics is committed to working with Controllers regarding data retention policies and processes for data retention, specifically ensuring we can aid the Controller with identifying and removing data when needed, including the personal data of any person requesting such removal once the Controller alerts PeopleMetrics of such requirements.
- The customer as Controller is responsible for ensuring that there is a lawful basis for processing any personal data that is ingested by the PeopleMetrics services at the direction of customer, whether by obtaining its customer’s consent or by virtue of some other lawful basis.
- FREQUENTLY ASKED QUESTIONS
- Where is data stored, processed or accessed?
All PeopleMetrics data is stored, processed and accessed in Amazon Web Services and EvolveIP datacenters.
- Will PeopleMetrics (Processor) use personal data for any purpose other than providing your Services?
No, PeopleMetrics only processes data as directed by the Controller and does not use personal data for any other purpose.
- CONTACT INFORMATION
PeopleMetrics welcomes your comments regarding GDPR. Please contact PeopleMetrics at GDPR@peoplemetrics.com, or write to us via US mail at the following address:
Two Logan Square
Philadelphia, PA 19103
Corporate Headquarters – USA
ATTN: John Lamanna (DPO)