What is GDPR?
The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.
How is Claritum preparing for it?
Claritum is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards and will comply with applicable GDPR regulations when they take effect in 2018, as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.
The company has two main areas of focus in preparing for GDPR overseen by an internal cross-functional team:
- Building on existing security and business continuity management systems and certifications (including ISO 9001) to ensure our own compliance.
- Product programmes to support compliance for users of our software applications including solutions to streamline the process and drive greater efficiency.
It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.
Compliance
Claritum already has robust information security policies and procedures but policies such as Incident Response Plans and Backup Data Retention will be reviewed and updated.
Compliance will also be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.
Contract Update
A new addendum to your current contract is being prepared and Customer Services will be contacting you to get this approved and in place.
This addendum covers the rights and responsibilities on both sides, as you, the ‘data controller’ and Claritum, the ‘data processor’ under the terms of the GDPR.
ISO 9001
As with all compliance programmes, clear documentation of and consistent adherence to the policies is key and so Claritum is working towards ISO 9001 compliance. More information about this will be available over the coming months.
Data Protection Officer
Even though (technically) Claritum are not required to do so under the terms of the GDPR, Claritum have appointed a Data Protection Officer (‘DPO’) whose task is to inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, providing necessary security and ongoing delivery of objectives.
Claritum Application Development
Claritum’s software development methodologies ensure that the security and integrity of the software and platform is maintained at all times. Within our GDPR programme, Claritum continue to review and update these procedures as necessary.
Claritum are committed to continually develop and maintain the application, adding value and providing efficiencies to help your business grow. Along that journey and as we identify them, we will also be including improvements to the platform to assist you (the data controller) in fulfilling potential GDPR compliance requests from you customers.
These efficiency improvements will be announced along with other release notices in the usual way.
Personal Data Mapping - data Subjects and Elements
As a Data Processor we manage the following personal data in Claritum on behalf of our Customers
| Data Subject | Personal Data Element |
|---|
Supplier User | · Name and Surname · Email · Phone Details · External ID · Place of Work |
Customer User | · Name and Surname · Email Address · Phone Details · Fax · Cost Centre · Physical Address · External ID · Gender · Place of Work · Image · Banking Details |
Service Manager | · Name and Surname · Email Address · Phone Details · Place of Work · External ID · Banking Details |
Additionally, we have prepared a ‘map’ of all the places in the system that potentially ‘personally-identifiable’ information may come into the Claritum system. This map also details which types of users may access the data and to what extent (viewing/reading, updating, both).
This data ‘map’ can be found
hereWhere is Claritum Data stored?
The Claritum system runs on Rackspace Public Cloud. UK and European customers are hosted in their London (UK) region.
The data centers meet the following standards:
Systems and Personal Data we share to support our Customers
As a Data Controller we securely store your information in other applications allowing us to support you and your organisation on a daily basis.
| Data Processor | Data Subject | Category | Personal Data Elements | Purpose |
|---|
Atlassian https://www.atlassian.com/trust/security https://www.atlassian.com/gdpr | Service Manager | Support Portal | - Name and Surname
- Email Address
| Manages support tickets |
Aha! https://www.aha.io/legal/security | Service Manager | Ideas Portal | - Name and Surname
- Email Address
| Manages improvement requests, new features and functionality requests |
HubSpot https://www.hubspot.com/data-privacy/gdpr | Marketing Contacts Sales Contacts Service Manager | CRM and Marketing | - Name and Surname
- Email Address
- Company Address Information
- Phone Number
- Title
| Marketing and customer relationship management tool |
Act-On https://www.act-on.com/privacy-policy/ | Service Manager | Emailing | - Name and Surname
- Email Address
- Company Name
- Title
| Align inbound and outbound marketing campaigns across the customer lifecycle. We use it for communicating important changes at Claritum, system upgrades, new product releases, scheduled software releases |