Digitell’s GDPR Plan
In January of 2018, Digitell started to receive requests from clients to understand how Digitell was going to respond to the new laws that will go into effect May 25th, 2018 regarding the privacy of European Citizens under the General Data Protection Regulation. Digitell’s head leadership and directors started to investigate GDPR and how it would affect the services, platforms, and processes that we use to service our clients. After a week of research, we came up with the following GDPR plan, which is still evolving as we move closer to the May 25th, 2018 deadline.
On January 12, 2018, Digitell reached out to a consulting firm specializing in helping associations become GDPR compliant. After our initial call with the consultant, the firm was contracted to help Digitell move forward with a plan to become GDPR compliant.
- Gap Analysis – We worked with the consulting firm to do a gap analysis and determine where Digitell’s platform and processes were not GDPR compliant.
- Digitell evaluated the gap analysis and came up with the following GDPR plan:
Digitell’s Role as a Data Processor
According to the specifications of the GDPR as the platform vendor, Digitell is the data processor, and the Association or Organization which has licensed the OPUS DX platform is the Data Controller. As the data processor, Digitell only processes a user’s data according to the instructions of our clients and to provide the services to our clients and their users under the active contract with said client.
- Digitell will make all efforts to keep user data secure
- Digitell will provide the necessary functionality within its platforms such that Digitell, as well as our clients, can meet the GDPR requirements regarding:
- A data subject’s right to data access and portability
- A data subject’s right to data accuracy
- A data subject’s right to be forgotten and have their data erased
- Sufficient opt-in/-out functionality such that each user can control how their data is used. Allow a user to opt out of being sent marketing emails from the Data Controller because they accessed the OPUS DX application.
- Digitell will not process user data in any way which is not necessary to accomplish the services Digitell provides under contract with a client, or that has been specifically requested by a client.
- At the end of a contract between Digitell and our client (the data controller), Digitell will remove all data from our systems pertaining to said client’s users. When requested and possible, Digitell will deliver the data to the client (data controller). The exception to this would be data that must be maintained for legal reasons, such as for tax purposes, accreditation purposes, etc.
- Digitell will make every effort to provide secure mechanisms and workflows for the transportation of personally identifiable information between Digitell and the Client. For example, emailing a registration list full of personally-identifiable data as a spreadsheet is not lawful under GDPR. Transferring reports that contain identifiable information over email is not lawful under GDPR.
- As a data processor, Digitell will alert our client (the data controller) in a timely fashion in the case of a data breach that could have resulted in unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data related to a client’s users.
- Digitell will be working with all clients to amend current contracts and ensure that new contracts have clauses in them that clearly define the relationship between Digitell (the data processor), and our clients (the data controllers) as it regards to data privacy in general and specifically data privacy under the GDPR.
- Digitell will put into place training procedures to educate Digitell employees on the importance of data privacy, how to handle data lawfully, to protect the data of end users, and comply with the GDPR.
- Digitell will perform, at minimum, an annual review and audit of its policies and procedures to ensure we remain compliant with GDPR.