General Data Protection Regulation (GDPR) is a European privacy law that will officially become enforceable on May 25, 2018. The GDPR will regulate, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data, which will have a significant impact on businesses around the world. Organizations in breach of GDPR will be fined up to a maximum of 4% of annual global turnover or €20 Million (whichever is greater).
Approved by the European Commission in 2016, the GDPR will replace an existing European Union privacy directive known as Directive 95/46/ECas an EU-wide, binding act. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world and set a new standard in global privacy rights and compliance.
What does GDPR change?
GDPR means significant changes to how Billy treats your data. In general, it’s a great opportunity for all SaaS companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
Organisations must implement technical and procedural measures to show they have considered data compliance measures into their data processing activities. This is based on the idea that privacy should be considered from the beginning to the end of all the systems and product design process.
User Rights Upgraded
GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, the right to not be profile, the right to rectification and the right of complete erasure.
GDPR requires companies to document and to show how exactly they comply with data protection laws. This means additional documentation of systems, processes, and procedures at the ready.
What is Billy doing about GDPR?
We take our responsibilities under GDPR seriously. That’s why we’ve embarked on a program to identify which measures we need to implement to be compliant with GDPR, and are working to implement them in time for May this year. Here is a quick summary of what we’ve done to date:
- We conducted a comprehensive GDPR audit. Following the assessment, we created an internal roadmap to work towards compliance with GDPR by 25 May 2018
- We have assigned a Data Protection Officer to oversee compliance and enforcement of all new policies
- We’re engaging with developers to consider and make the necessary changes/improvements to Billy
- We’re reviewing our key third-party vendor arrangements to make sure they have the appropriate protections in place to satisfy GDPR requirements
- We’re refining procedures to deal with some key data subject rights, like subject access requests and the right to request deletion in the creation of our Data Processing Addendum and Data Breach Plan Document and other procedural documentation
- We are not in the process of joining Privacy Sheild, which is a series of protocols and certifications similar to GDPR
Frequently Asked Questions
Will Billy be storing customer data in the EU?
Billy has no plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.
Billy complies with EU data export restrictions when it exports data outside of the EU, and will be doing a full audit prior to May 2018 on the data export mechanisms it has in place.
Where does Billy store user data?
Just like many SaaS providers, we use a top-tier, third-party data provider (Amazon Web Services) with servers located in the U.S., to host our software services. For more information about AWS’s compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/.
How does Billy comply with EU data export restrictions?
When we process EU customer data in other territories, like the United States of America, we ensure “appropriate safeguards” are in place that are prescribed by GDPR – i.e., by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).