GDPR & EnableX
GDPR is an extensive piece of legislation which has been several years in the making. This guide explains key items pertaining to the legislation and how you can ensure compliancy of your application built on top of our platform w.r.t services used from EnableX platform.
What is GDPR
General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union. Under the terms of GDPR, not only do organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
Who does GDPR apply to?
GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’. The definitions of each are laid out in Article 4 of the General Data Protection Regulation.
- A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”,
- Processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.
Controllers are also forced to ensure that all contracts with processors are in compliance with GDPR.
Key practices and safeguards required for GDPR compliance
Personal data as referred in GDPR is any personal information pertaining to the person that can be used directly or indirectly to identify the person such as name, photo, email address, bank details, posts on social networking sites, medical information or computer IP address.
To ensure “GDPR compliance” the data-handlers must ensure measures and appropriate safeguards to comply with the following
- Businesses and organizations handling private or sensitive data must ask for consent and permission each and every time they access the data.
- Breach notification
- Compliance with the GDPR requires companies to notify all data subjects that a security breach has occurred within 72 hours of first discovering it
- Right to access
- The GDPR requires companies to provide, at the data subject’s request, confirmation as to whether personal data pertaining to them is being processed, where it is being processed, and for what purpose.
- Right to be forgotten
- Under the GDPR, companies will erase all personal data when asked to do so by the data subject. At that point, the company will cease further dissemination of the data, and halt all processing.
- Data portabilit
- The GDPR requires companies to provide mechanisms for a data subject to receive any previously provided personal data in a commonly used and machine-readable format.
- Privacy by Design
- Companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
- Data Protection Officers
- The enterprises will designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access and other security breaches. If an enterprise meets the criteria of size above which DPO is necessitated, then a designated DPO is a requirement, not an option.
GDPR compliance in EnableX platform
“Data subject” as defined in GDPR is any person whose personal data is being collected, held or processed.
Like most cloud-based platforms, EnableX uses the shared responsibility model. GDPR stipulates that both data controllers and data processors have duties with regard to customers, supervisory authorities and more. This is what we mean by a ‘shared responsibility for data security’
EnableX provides its services to end-users through its partners, who are the primary customers for EnableX. The end user, who is the customer of the EnableX customer, is never the primary customer for EnableX. The end user using the applications are the data-subjects.
The EnableX platform is responsible for securing the underlying real-time communication services provided; while EnableX customers, acting either as data controllers or data processors, are responsible for any personal data they gather from their customers, who are the end-users for EnableX. As a data processor, EnableX can provide a “Data Processing Agreement” which clarifies the responsibilities and contractual terms under the shared responsibility for the use of the platform.
Prima facie, EnableX does not ask for, utilise, or store any personal data, for any end-user to use any of its services. All EnableX products work through our partners, who maintain the application and authentication layers, and are responsible for creating and managing end-user profiles. None of this profile information is passed on to EnableX for any reason whatsoever.
The EnableX Customer/Partner who develops applications on top of “EnableX” is the data-controller. EnableX is the data-processor on behalf of this customer-partner and does not maintain any personal identity information of application end-user. We strongly recommend not sharing any personal information while using our application or any communication initiated with the EnableX
The EnableX customer/partners are responsible for the end user’s data containing personal information and for securing it.
The use of EnableX platform services does not necessitate sharing any personal information of end users referred as “data-subjects”. Therefore customer/partner is strongly recommended to anonymize and never share any end user information with EnableX platform
EnableX as a processor: The parties acknowledge and agree that with respect to the processing of Customer Content, Customer may act either as a controller or processor and EnableX is a processor.
- EnableX as a Controller of Customer Account Data: The parties acknowledge that, with regards to the processing of Customer Account Data, Customer is a controller and EnableX is an independent controller, not a joint controller with Customer.
- EnableX as a Controller of Customer Usage Data: The parties acknowledge that, with respect to the processing of Customer Usage Data, Customer may act either as a controller or processor and EnableX is an independent controller, not a joint controller with Customer.
- EnableX is responsible for the Customer Account Data that may contain personal information.
- As a Controller of Customer Content, the Customer is expected to obtain consent from the end user whenever the application accesses any customer information including during live sessions. The Customer is responsible for the Customer Content (or their end user’s content) in terms of storing and deleting these on EnableX platform according to Customer’s instructions.
- EnableX is responsible for Customer Account Data stored on the EnableX portal. The portal stores contact information about the customer/partner hosting application on the platform. Contact information include personally identifiable data collected during the sign-up process or during application creation. The information is the minimum required information which is agreed to be shared as part of business contractual terms by the customer/partner.
- For GDPR compliance EnableX customer has the add “right to be forgotten”. The customer can raise request to delete all Customer Account Data and Customer Content stored on the platform. EnableX maintains the audit log for such requests.
- EnableX will notify the Customer whenever there is service breach pertaining to Customer Account Data or Customer Content.
- All communication sessions are encrypted. Unauthorised entry of end-users in sessions they are not part of is controlled via multiple security protocols.
- EnableX is, however, not responsible for the content of the communication between end-users Session recordings which include voice, video, whiteboard etc communication between end-users are created by EnableX and stored for a very short duration, within which they are transferred to partners control, where they are responsible for storage, distribution and security.
- Payment information is securely stored at the payment gateway.
Among other initiatives, the following are actively followed to ensure GDPR compliance.
- Personal data encryption
- Database backups
- Database encryption
- HTTPS connections
- Computer encryption
- Systematic 8+ characters passwords
- Security trainings
- Privacy & security by design
EnableX does not sell any user data to any third party for any purpose or use it for any advertisement related purpose.