The EU General Data Protection Regulation (GDPR) is the most comprehensive change to EU data privacy law in decades. It will take effect from the 25th May 2018. The MyRobotWorks team is working hard to ensure our full compliance by this date.
1. What is the GDPR?
The General Data Protection Regulation (GDPR) (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679) is a regulation in EU law on data protection and privacy for all individuals within the European Union. For EU residents, the regulation aims to increase their control over their personal data. For businesses, the GDPR becomes a unifying regulation across the EU. GDPR takes effect on the 25th of May 2018, it replaces the 1995 Data Protection Directive.
2. Does this affect me?
The GDPR regulation applies to any EU residents' data, regardless of where the processor or controller is located. This means for example that if you’re using MyRobotWorks from the US to reach out to other US corporations, the regulation doesn’t affect you. But if some of your customers or leads are in the EU, you should pay attention to it. In practice, most companies need to take the GDPR into consideration.
3. How MyRobotWorks is complying with the GDPR
Even though the GDPR only applies to data from EU residents, we took the decision to apply broadly the requirement of the regulation. This means we don’t restrict any privacy related feature based on the geographical location of a data subject. Here are some of the actions we’ve taken to ensure we’re compliant:
We’re taking the security of the data we manage very seriously.
The MyRobotWorks servers are physically secure and may only be accessed by MyRobotWorks's technical or support personnel whose jobs specifically relate to maintaining the integrity of the MyRobotWorks servers or supporting product-related functions. Such individuals are required to maintain the security of the servers and the confidentiality of the information contained in the servers. MyRobotWorks takes all reasonable and appropriate steps to protect your personal information, including by encrypting such information, maintaining readily accessible steps to limit access, working to detect unauthorized access, and not storing such information any longer than we need to.
Our privacy team has analyzed the requirements of the GDPR and is working to enhance our policies, procedures, contracts and platform features to ensure we comply with the GDPR and enable compliance for our customers.
Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed.
If we see something, we’ll react quickly and remedy the issue. We’re not resting on our laurels. We’re always looking for potential system interruptions. If we do find something out of place, we’ll address the issue in a manner that it won’t be an issue in the future. We’ve invested in ensuring we can detect and respond to security events and incidents that impact its infrastructure.
We’re relentlessly updating our systems to protect your data. Our virtual systems are replaced on a regular basis with new, patched systems. System configuration and consistency are maintained using a combination of configuration management, up-to-date images and continuous deployment. Through continuous deployment, existing systems are decommissioned and replaced by up-to-date images at a regular interval.
Only people who need access, get access. Production system access is limited to key members of the MyRobotWorks engineering team and passwords are expressly forbidden. At a minimum, authentication requires two factors including asymmetric RSA public/private keys and a time-based crypto token.
Don’t just take our word that our systems are secure. We don’t. Even though we’ve designed secure systems and procedures, we regularly perform security tests to identify and remediate potential vulnerabilities. We also conduct periodic penetration tests with expert third-party vendors to help keep our applications safe and secure. These tests cover network, server, database and in-depth testing for vulnerabilities inside MyRobotWorks applications.
We prevent single points of failure. Even if there is an interruption to one system, the rest of our services stay up and secure. We physically separate the database instances from application servers and heartily believe in the mantra of single¬ function servers. MyRobotWorks application passwords are hashed and even our own staff can’t retrieve them. If lost the password must be reset.
5. Log retention
To improve, debug or prevent fraud on the service, we keep a variety of logs. We now make sure logs are destroyed at most 12 months after their collection date. We never use those logs of anything else than monitoring and debugging.
6. Data portability
The GDPR gives the right to any user to download any data that he provides to a service. This allows for easier migration to other services. We think this is a great idea and MyRobotWorks has always made it possible for user to download their data.
7. Systematic pseudonymisation of non-public data
Our applications heavily pseudonymise data to ensure the privacy of data subjects. Any attributes that doesn’t need to remain in it’s original form is truncated to remove any possibility to be linked back to a specific data subject.
8. Right of erasure
Because we deal with publicly available web data, information removed from a website are also removed from our database. But if a data subject wishes to speed up the removal of any in our index, we offer a simple an efficient way or entirely remove it data.
Any other questions?
Our work related to the GDPR is still in progress and you can expect this and related pages to be updated regularly. Should you have any other question, we’re here to help: hello@MyRobotWorks.com.