What is it?
The GDPR is an EU Regulation to improve the protection of the personal data of EU citizens and increase the obligations of organizations who collect or process personal data. These regulations are effective as of May 25, 2018. The regulations greatly enhance the data privacy and security of our customers and extend to them rights enabling greater control over one’s personally identifiable information.
The full specification of the GDPR rights and regulations can be found here
What does this mean for Winnona Partners?
In some instances, Winnona Partners functions as both a controller and processor of our customers’ personally identifiable information (PII). Additionally, some of our clients may be sub-processors to which we transmit data for storage or processing beyond feature sets under our immediate control.
As a controller of data, we store PII such as names/usernames, email addresses, phone numbers and avatars. We use a number of databases through GDPR compliant service providers (AWS, Heroku) to store sensitive customer data.
In some cases Winnona Partners is also a processor of user data. User data is accessed to view general user activity and internal analytics, and to monitor user conflicts or error reports.
We have a system-wide GDPR compliance effort underway which will manifest itself in all of our in-house software or other owned properties when applicable.
We are both a data controller and data processor and we have several categories of measures to take in order to comply with the GDPR. The general categories are:
- Auditing data collection and processing processes and protocols
- Communicating our GDPR responsibility and accountability
- Collecting explicit affirmative consent to control and process data from our users
- Implementing and communicating steps to exercise customer data access rights
Our GDPR compliance processes and procedures are as follows:
Auditing data collection and processing processes and protocols
- We document the PII data we collect into data flows, current statuses, and retention statistics.
- Our respective privacy policies include how and why we handle personal data collected by those applications.
- Winnona Partners operates in full compliance with Apple Media Services Terms and Conditions and Google Play Terms of Service.
Communicating our GDPR responsibility and accountability
- Our internal management structure is GDPR aware.
- We have appointed a Data Protection Officer who leads our GDPR compliance, security, and infrastructure initiatives.
- We have technical security and infrastructure personnel focused on customer data security and regulatory changes.
- We have policies, internal talks, and training for GDPR and data security awareness as well as procedures for handling data breach incidents.
Collecting explicit affirmative consent to control and process customer data
- We require explicit affirmative consent at or after sign up before usage of our software when applicable.
- Our software always includes ways to for users to permanently delete their accounts should they choose not to agree to our Privacy Policies and/or Terms and Conditions when applicable.
Implementing and communicating steps to exercise customer data access rights
The GDPR guidelines require processors and controllers give easily executable rights to customers for accessing, updating, removing, cessation of processing, and delivery of their data.
Gust’s customer success and engineering teams coordinate and execute customer data access right requests using the following protocol:
- A customer contacts our team at firstname.lastname@example.org or the software-specific support email requesting to exercise one or more of their GDPR rights
- Our team authenticates the user’s identity and acknowledges the request within 48 hours
- A Winnona Partners member then attempts to resolve the issue themselves
- (or) our team logs the details of the request in our backlog and notifies the Data Protection Officer
- The Data Protection Officer coordinates, defines, and prioritizes steps to resolve the data access request
- The Data Protection Officer tracks resolution lifecycle
- The Winnona Partners team contacts the requesting user delivering applicable data packages, captures any further issues, and closes the support ticket
As of May 25, 2018, we are operationally GDPR compliant. All Winnona Partners owned applications and services comply with the regulations and we’re happy to see personal data privacy, ownership, and control come to the internet at-large. As a company, we are in full support of the regulation.