GDPR and Staff Squared
5th March 2018
Over the next few months the noise over GDPR will finally reach a crescendo. For the uninitiated, “GDPR” stands for “General Data Protection Regulation” and it goes into effect on May 25th of this year.
We’ve documented a full list of questions and answers for how Staff Squared accommodates the changes GDPR legislation brings in to play.
GDPR is designed to protect how personal information of EU (European Union) citizens is collected, stored, and shared. The regulation should also improve transparency as to how personal information is managed by a business or organisation.
Staff Squared fully expects to be GDPR compliant when May 25th rolls around and we thought we’d share our experience along the way. We’ll start with this post as an introduction to GDPR. In future posts, we’ll dive into some of the details of the process we went through in meeting the GDPR objectives.
GDPR – helping us to help you
To ensure we are GDPR compliant, Staff Squared has assembled a dedicated internal team, engaged expert legal counsel, and consulted with other tech companies on best practices. While it is a sizable effort on our part, we view this as a waypoint in our ongoing effort to secure and protect our customers’ data and to be transparent in how we work as a company.
In addition to the various operational and technical changes now underway, we’re also undergoing the internal operational improvements required to be both CyberSecurity Essentials Plus and ISO 27001 accredited. More on that to come in future posts.
We’re making these changes because we believe in security by design. We feel it’s important that this attitude and culture is equally something that our customers pay attention to.
We can spend hundreds of thousands of pounds on the security of our systems, but we can’t stop one of your employees writing their Staff Squared login on a note stuck to their computer monitor. We will of course provide tools such as two factor authentication which you’ll be able to take advantage of, but ultimately we’re as secure as our customers allow us to be. Humans are typically the chink in the armour when it comes to security.
Why GDPR is Important?
At the centre of GDPR is the protection of Personally Identifiable Information or “PII.” The definition for PII is information that can be used stand-alone or in concert with other information to identify a specific person. This includes obvious data like: name, address, and phone number, less obvious data like email address and IP address, and other data such as a credit card number, and unique identifiers that can be decoded back to the person.
How Will GDPR Affect Your Staff Squared account?
The various changes we’re going to make to Staff Squared are relatively straightforward and we’ll publish information about those in the coming weeks. However, our terms and privacy agreements will change significantly to take GDPR requirements in to account. The clauses we add will be generally consistent across all GDPR compliant vendors and are meant to be easily understood so that a customer can easily determine how their PII is being collected and used.
Common GDPR Questions:
Dozens of customers have contacted us about GDPR and its impact on their business, Staff Squared or the world in general. Here are some of the more common questions we’ve received to date:
- GDPR will only affect citizens in the EU.
Answer: The changes that are being made by companies such as Staff Squared to comply with GDPR will almost certainly apply to customers from all countries. And that’s a good thing. The protections afforded to EU citizens by GDPR are something all users of our service should benefit from.
- After May 25, 2018, a citizen of the EU will not be allowed to use any applications or services that store data outside of the EU.
Answer: False, no one will stop you as an EU citizen from using the internet-based service you choose. But, you should make sure you know where your data is being collected, processed, and stored. If any of those activities occur outside the EU, make sure the company is following the GDPR guidelines.
- My business only has a few EU citizens as customers, so I don’t need to care about GDPR?
Answer: False, even if you have just one EU citizen as a customer, and you capture, process or store data their PII outside of the EU, you need to comply with GDPR.
- Companies can be fined millions of dollars for not complying with GDPR.
Answer: True, but: the regulation allows for companies to be fined up to £20 Million or 4% of global revenue (whichever is greater) if they don’t comply with GDPR. In practice, the feeling is that such fines will be reserved (at least initially) for egregious violators that ignore or merely give “lip-service” to GDPR.
- You’ll be able to tell a company is GDPR compliant because they have a “GDPR Certified” badge on their website.
For all the noise and confusion surrounding GDPR, the regulation is reasonably well thought out and addresses a very important issue — people’s privacy online. Creating a best practices document, or in this case a regulation, that companies such as Staff Squared can follow is a good idea. The document isn’t perfect, and over the coming years we expect there to be changes.
In summary, GDPR changes are coming over the next few months. Staff Squared has our internal staff and our legal counsel working diligently to ensure that we will be GDPR compliant by May 25th. We believe that GDPR will have a positive effect in enhancing the protection of personally identifiable information for not only EU citizens, but all of our Staff Squared customers.