What is the GDPR?
The EU General Data Protection Regulation (GDPR) will become effective on 25th May 2018 bringing new global data protections for individuals of the European Union (EU). The GDPR will replace the EU Data Protection Directive and is intended to harmonize data protection laws throughout the EU with a single data protection law.
GDPR applies to all organizations established in the EU and any organizations that process the personal data of EU subjects in connection with offering goods or services in the EU.
How have Interact been preparing for GDPR?
In early 2017, Interact began a full research process into GDPR and how it would affect Interact and our customers. We consulted with internal and external counsel to understand the GDPR legal requirements. Interact has also performed a Data Protection Impact Assessment to determine compliance with security requirements of GDPR.
Throughout 2017, Interact made a number of product changes, policy updates and internal process changes in anticipation of GDPR. Interact are committed to being GDPR complaint when it becomes enforceable in May of 2018.
What is Interact doing?
Ensuring our products and services are designed in accordance with ISO27001 standards. Our existing standards mirror many of the security and privacy requirements of GDPR. Amazon Web Services (AWS) our hosting partner is also ISO27001 & SSAE16 compliant.
Ensuring all Interact employees continue to undertake mandatory data handling training. All Interact employees are required to participate in the training program even if their role doesn’t require them to handle customer data.
Ensuring our vendors continue to adhere to the same high standards of security and privacy as Interact.
Maintaining our no transfers out of the EU commitment for EU customers. Interact does not transfer data out of the customer’s chosen geographical region. Data backups and redundancy sites all remain within the same geographical region.
Is Interact a Data Processor or Data Controller?
Interact operates as both a Data Controller and Data Processor when considering GDPR compliance:
Interact is a controller is respect of individuals interacting with our business such as website visitors, customers and prospective customers of Interact.
Interact is also the processor in respect of our own data and that of our customers whose data we receive from users of our services. In some specific customer agreements, Interact can also be a sub-processor.
What Personal Data does Interact process for its customers?
How does Interact deal with Subject Access Requests (SAR)?
If the Subject Access Request relates to data processed, stored or hosted within our services, Interact will refer the Subject Access Request to our customer – the data controller. Interact will assist with requests made by our customers in relation to such Subject Access Requests.
Subject Access Requests received in relation to Interact’s business will receive a response within 30 days of receipt. Subject Access Requests can be made at firstname.lastname@example.org or in writing to:
4th Floor Station House
As a customer of Interact, what action should we take?
As a customer of Interact, you are a data controller and Interact is acting as a processor for your data. In preparation for GDPR you should consider undertaking the following steps:
- Perform your own research, modelling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
- Obtain an updated Data Processing Agreement which is available upon request from email@example.com
If you have any questions about GDPR, please contact firstname.lastname@example.org. If you are an employee of an Interact customer, please contact your employer.