GDPR Guidance from PowerObjects
In May of 2018, the European Union’s (EU) data privacy and protection rules will receive the most significant review in the last twenty years. Since the current laws were created in the nineties, the digital world has evolved drastically. The amount of data and information that we generate as individuals, and capture and store as businesses, has grown, resulting in old regulatory framework that no longer fits. The GDPR introduces a new regulatory regime that has a broader definition of personal data, greater territorial reach worldwide, and higher stakes for non-compliance.
At PowerObjects, we want to help our customers follow GDPR regulations when using our products and services. Outlined below, we cover the fundamentals of GDPR, how PowerObjects is preparing for the impact, and how you can prepare.
What is GDPR?
GDPR stands for General Data Protection Regulation; it is a new EU regulation coming into effect on the 25th May 2018. GDPR replaces the 1995 EU Data Protection Directive. As opposed to EU Directives, which are implemented individually by each member state, EU Regulations apply at once in all member states. However, the impact of this new law reaches far beyond EU borders.
GDPR introduces a series of new measures aimed to offer improved data privacy and protection for all European Union residents. This has far-reaching implications as it affects not only EU organizations, but also organizations from other countries that collect or process data from EU residents. It also imposes severe penalties for breaches and non-compliance of up to €20M or 4% of global annual turnover.
GDPR also addresses the transfer of personal data from the EU to third-party countries, like the United States. The provisions on cross-border data sharing do not radically change from the regulations previously in place under data protection directives. GDPR does not contain any specific requirement to enforce that personal data of EU residents should reside in an EU member state. However, it includes conditions that must be met before this transfer can occur, including adequacy of data protection measures.
GDPR has six fundamental principles related to Personal Data:
- It should be processed lawfully, fairly, and transparently.
- It should be collected for specified, explicit, and legitimate business purposes.
- It should be adequate, relevant, and limited to what is necessary.
- It should be accurate and, where necessary, kept up to date.
- It should be retained only for as long as necessary.
- It should be processed appropriately to maintain security.
GDPR Key Definitions
These are the essential definitions that GDPR introduces for various aspects of data protection.
- Controller: Person or organization that decides the purpose and means of processing personal data.
- Processor: Person or organization which processes personal data on behalf of the controller.
- Consent: The agreement to process data from the data subject. It must be freely given, specific, informed, and an unambiguous indication of the data subject by a statement or by explicit affirmative action.
- Personal Data: Any information relating to an identified, or more importantly identifiable, natural person. Thus, any data that can be used to determine the identity of a person can be considered personal data. e.g. IP addresses and online identifiers.
- Processing: Any operations, whether automated or not, performed on personal data sets.
What is PowerObjects' role in your organization's GDPR compliance?
When you use our PowerPacks, PowerObjects acts as a Data Processor for you, and will be required to meet all the requirements imposed on data processors under the new regulation. Your organization will be considered the data controller under the new law, and it is your organization’s responsibility to handle compliance with GDPR.
PowerObjects is also considered a data controller for our customer’s data, and we will ensure our own data processing complies with the requirements to give you the best possible experience as we stand by our core values of ‘doing the right thing’ and ‘living the technology’.
What are PowerObjects' responsibilities under GDPR?
As a Data Processor, our primary responsibilities are to ensure that we have in place policies and practices that conform to the GDPR requirements and that our PowerPacks are compliant with GDPR. This includes security measures, which we already have in place, as well as procedures and documentation to demonstrate compliance with GDPR, and thus support your organization’s compliance.
PowerObjects’ responsibility is to process data as agreed, and take adequate security measures to protect your data.
What PowerPacks are affected by GDPR?
Our PowerPacks are add-on solutions that deliver value by extending the Dynamics 365 platform. Many of them operate directly within the platform and thus do not require any of your customer’s data to be processed by PowerObjects. However, some of our PowerPacks need back-end integration and synchronization to fulfill their function. This information can be quickly found by navigating to the configuration page for each PowerPack add-on imported in your CRM.
PowerPacks that rely on PowerObjects’ Cloud Services:
- PowerChat: Relies on our cloud to set up chat communications with client’s endpoints.
- PowerEmail: Uses our cloud to track email delivery and opens.
- PowerMailChimp: Synchronizes data between Dynamics 365 and MailChimp using our cloud.
- PowerShare: Uses our cloud to track visits to digital assets shared with the tool.
- PowerSMS: Synchronizes data between Dynamics 365 and the SMS provider using our cloud.
- PowerSurveyPlus: Uses our cloud to capture survey responses to record into Dynamics 365.
- PowerWebForm: Uses our cloud to capture form submissions to record into Dynamics 365.
- PowerWebTraffic: Uses our cloud to track visits to websites configured by you.
- PowerZapEvent: Synchronizes data between Dynamics 365 and ZapEvent using our cloud.
- PowerAttachment: Uses our cloud to extract attachments to store in your SharePoint.
- PowerAutoNumber: Uses our cloud to generate the next sequential number.
- PowerGeoLog: Uses our cloud to track Dynamics 365 user logins.
How does PowerObjects handle cross-border sharing and data jurisdictions?
The only cross-border data sharing PowerObjects does is for the data sets needed to register a PowerPack. This information is recorded on our own US-based system. We do not perform any cross-border data transfer within our PowerPacks. Whenever you install a PowerPack that does require back-end processing in our PowerPack Cloud, you can decide what region you want your data processing to occur. The current available locations are the United States, Brazil, Europe, and East Asia. We use Microsoft Azure services for our PowerPack Cloud systems ans our Cloud regions correspond to the underlying Microsoft Azure regions.
Please note that some of our PowerPacks provide integration with third-party services. You are responsible for the provision of these third-party services, and our PowerPacks will communicate with them as instructed by you on setup. This could potentially include cross-border data transfers, and you are responsible for ensuring that the third-parties processing your data are also compliant with GDPR. For example, MailChimp has detailed guidance within their Knowledge Base on how they are accomplishing this in relation to the EU-US Privacy Shield agreement.
How we process data in our PowerPacks
Whenever we need back-end processing on our PowerPack Cloud to deliver PowerPack functionality, we use services in the Microsoft Azure platform. This platform offers us a high standard of security and gives added benefits to ensure that appropriate technical security measures are in place to provide the utmost protection for your customer’s data.
Our PowerPack Cloud processing is straightforward. We only synchronize or integrate data with the aim of recording it into your Microsoft Dynamics 365 instance. Therefore, we do not have any of your customer data recorded permanently in our cloud services. We only keep it for as long as required to complete the successful processing, and no longer than 30 days.
In general, we can describe our PowerPack data processing as follows:
- When you install a new PowerPack, we collect registration information including your contact details and your Dynamics 365 organization details – instance name and unique id, number of users, and URL; as well as some other details needed for each specific PowerPack like credentials or API keys. This information is securely transmitted to our PowerPack Registration engine using industry standard TLS encryption. The data then is recorded in our US-based data center and encrypted at rest.
- If the PowerPack needs back-end processing or synchronization as described earlier, you can choose one of our PowerPack Cloud locations that better fit your data jurisdiction requirements. These locations correspond to the Microsoft Azure cloud locations as we use Microsoft Azure Cloud services to provide this infrastructure. We never send your data to different PowerPack cloud locations, so you have total control over where your data resides. Additionally, thanks to the strength of the Microsoft Cloud, we have an additional number of technical security measures to help us protect your data during this processing.
- If the functionality requires integration with third-party APIs – e.g. MailChimp or Twilio – you will provide this configuration during the setup of the solution to enable the PowerPack functionality. We then use that information to send the data as expected to these third-party services to implement the PowerPack. All data transmission between systems is encrypted and follows industry security standards.
- Your customer’s data is only retained in our cloud for up to thirty days while we ensure that it has been successfully stored in your Dynamics 365 instance. After that, we remove the information from our systems. Our PowerPack Cloud does not keep any permanent record for of your customer data.
What is PowerObjects doing to ensure compliance with GDPR?
We are working hard to get everything ready for GDPR compliance, some of the activities you will see happening before May 2018.
- Security: We take security very seriously, we already perform weekly and monthly security scans. We also conduct regular external audits and penetration testing to all our infrastructure.
- Communication: We are reviewing our communication and notification procedures to ensure that they are in full compliance with the GDPR.
- Technical Implementation Details: We are creating some Technical Guides that give further details on how each affected PowerPack process your customer’s information. These guides will be available on demand to our customers.
Where can I find further information about GDPR?
The full text of the GDPR is available here. The European Commission has a helpful website dedicated to the Data Protection topic which covers GDPR and other related issues. We also recommend the Irish Data Protection Commissioner’s GDPR site, and the UK’s Information Commissioner’s Office 12 Steps Guide valuable resources to aid in understanding how to be compliant with GDPR.
As a PowerPack subscriber, you can always reach out to our PowerPack team if you have questions about PowerObjects’ compliance with GDPR or other issues related to data privacy.