EU General Data Protection Regulation (GDPR) and Data Processing Agreement
What is GDPR and why is GDPR important?
There have been countless articles written on what GDPR is, but overall GDPR is a big update in data regulations in the EU that adds some new requirements regarding how companies should protect individuals' data that they process. GDPR also increases the penalties for non-compliance by imposing greater fines for breaches.
There are 99 articles in the regulation setting out the rights of individuals and obligations placed on organizations covered by the regulation. I'd encourage you to consult your own lawyer (we've spoken to plenty to get this right), but essentially GDPR raises the stakes on the use, ownership, and protection of personal data.
Personal data can be anything that allows an individual to be directly or indirectly identified (name, address, IP address, etc) and can also encompass pseudonymized data if you can back into identifying someone. GDPR wraps this concept up to giving people the "right to be forgotten."
GDPR also requires much more transparency for businesses to make it clear on how you're using personal data. All of these obligations are required for any company with any connection to EU citizens, which means that US companies need to comply, as well (unless they've made the decision of not allowing EU citizens to use their products).
Don't your data centers need to be in the EU now?
Nope. GDPR does not require that our data centers be in the EU. GDPR allows a company to transfer data outside of the EU as long as practices are put in place ro make sure that personal data is properly protected. We've certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to satisfy this requirement and also offer up our DPA.
Where can I find your DPA?
Sign our Data Processing Agreement Here
Our compliance, data protection, and information security teams have collaborated to construct a Data Processing Agreement so you can rest assured your data is safe with us. We started from the ground up to review all our data processing activities and security processes to meet, and often exceed, GDPR security requirements.
How does ProfitWell handle Privacy under GDPR?
To be crystal clear - ProfitWell does not and will not ever sell your data to third parties. Your data is your data. Further, your data is rarely accessed with the only reasons we'd ever look at your data is if there's a QA or security issue, or if you give us permission for the purposes of analysis and helping you with identifying problems/opportunities in your business.
On the GDPR front, there are some provisions on international data transfer mechanisms. To comply with these we certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that had been approved for cross border transfer of personal data under the Directive.
From a product perspective, you have the ability to anonymize a user through the Customer section, which allows you to maintain their data in your numbers for consistency and legal/regulatory purposes, but evaporates their identification from our databases. We've also added the ability to completely delete a user and their history from our databases (including all of their financial history).
What if I have more questions?
GDPR can seem scary at first, but it doesn't have to be. If you have any questions or concerns regarding how we protect personal data to comply with GDPR, please don't hesitate to contact us at GDPR@profitwell.com.