FluentPro – GDPR: Making Changes
in Data Protection

Anna Shalomova

PPM Consultant

FluentPro – GDPR: Making Changes in Data Protection

Strong relationships with our customers and partners are essential. A critical part of these relationships is establishing trust and confidence, which is why privacy has always been a priority. With the General Data Protection Regulation (GDPR) set to take effect on May 25th, 2018 we would like to share an update on our work to comply with new regulations. We will provide an overview of upcoming product and operational changes that expand our privacy framework. We will also keep you informed on the latest developments or changes in our organizational and technical measures.

What is GDPR?

The GDPR (General Data Protection Regulation) is a new EU Regulation that will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018. The regulation is based on many of the 1995 Directive’s requirements for data privacy and security. Still, it includes several new outlines to strengthen the rights of data subjects and add more severe penalties for violations. The full text of the GDPR can be found here.

Why is GDPR necessary?

The GDPR affects any business that collects data in or from the European Economic Area (“EEA”), regardless of whether they’re based within the EEA or not. The GDPR requires businesses to give individuals greater visibility into and control over the data they provide to those businesses. The GDPR aims to modernize old privacy laws to ensure that the protection of personal data remains a fundamental right for EU citizens.

What is FluentPro’s role under GDPR?

We act as both a data processor and a data controller under the GDPR.

FluentPro as a data processor: When customers use our products and services to process EU personal data, we act as a data processor since we process personal information on behalf of and by the instructions of our Subscribers. For example, we will be a processor of personal data of end users, employees, or contractors of our Subscribers and other information that is get uploaded into or transferred through our products.

FluentPro as a data controller:  We act as a data controller for the customer information to provide our products and services, respond to emails or other requests and provide timely customer support. For example, we will be a personal data controller when you complete our online forms or if you register and create a profile on our sites. This customer information may include customer name, address, email address, and contact information.

What is FluentPro doing?

To prepare for the GDPR, we are undertaking some research and changes, both small and large ones. You can read about those changes below.

Security

FluentPro continues to make data security our priority, and below are some details on specific security measures related to the GDPR that we have in place:

• Access control (authentication and authorization, role-based access control models)
• Single sign-on support
• Two-factor authentication for server access
• Data encryption
• Transport layer security technology
• Continuous network and security monitoring
• Vulnerability management
• Internal IT security (keycard access and biometrics, surveillance camera monitoring)
• Information security aspects of Business Continuity Management (encrypted data backups, geo-redundant storage replication)
• SOC I-, SOC II – and ISO-accredited data centers

We apply different security features and measures to ensure customer and business data is always protected and strive to maintain and further improve data security. Our customers can be sure that using our products and services is secure, their information is safe, and their businesses are protected.

Privacy basics

We have updated our processes and reflected this in our Privacy Policy to account for GDPR provisions, make it more transparent and easy to navigate. It also reflects improvements we have made to our security framework.

Data retention

We have company-wide data retention policies that vary depending on your data types and services.  Furthermore, we empower our customers to control the data they share through their accounts. As long as your account is active, you can handle the specific data types you store or transfer through our services. On our side, we will retain your data. At the same time, you or your company remains an active client. This data is necessary to provide you with our services and fulfill the purposes outlined in our privacy policy and subscription agreement. We can also delete your information upon your request.

Vendor audit

We work with trusted vendors to ensure our customers are always protected with best-in-class security.

We’re working through our list of vendors to ensure they are adhering to the GDPR and signing all appropriate Data Processing Agreements with them.

International data transfers

For data transfers with our vendors, we are signing Data Processing Agreements with incorporated EU Commission-approved Standard Contractual Clauses. This ensures that we meet the legal obligations for the transfer of data from the EU to all countries not covered by EU Commission adequacy findings. In addition, we have submitted our self-certification for EU-US Privacy Shield which is under review now. We also offer a Data Processing Agreement to certain EU/EEA-based customers upon request.

International data center

We are aware that part of our customers with EU users or EU affiliates would prefer that their data be hosted in the EU. Currently, we have an EU data center for some of our products and are planning to offer European data storage solutions for all our products in the future. We will update exact timing and data storage solutions as this progresses.

On-premise software option

Suppose your organization has strict security compliance guidelines that require hosting data behind your corporate firewall. In that case, you can choose our option for on-premise software installation under specific customer plans and packages. On-premise software resides on a dedicated server maintained by your organization and puts control over your data in your hands.

Ongoing global process changes

We are continuously working to improve our processes related to customer support, product development, and customer data protection. Much of this will be in the format of internal documentation, training, and processes as required by the GDPR. Though preparing for the GDPR, we make all our process changes and improvements globally, which should apply to all the customers in all jurisdictions.