GDPR & EU Data Protection

We value your trust and work hard to protect your information

<h2>Summary</h2><p>When you use our services you entrust us with your valuable information. We have made it a priority to protect your data and to provide you with choices about controlling it. We understand that there are particular concerns from companies in the EU about how we use and protect your data, so we put this page together as a guide to answer some of the most common questions you may have.</p><h3>What is GDPR?</h3><p>By May 25th, 2018, any organisation that processes personal data of EU citizens needs to be compliant with GDPR. The GDPR (General Data Protection Regulation) replaces the Data Protection Directive 95/46/EC, incorporated in UK law by the Data Protection Act 1998 (DPA). The GDPR is not new legislation and retains the core rules and principles of the Data Protection Directive, but it is an overhaul of existing European Commission data protection legislation. </p> <p>The aim of the GDPR is to unify the existing data protection laws to strengthen the security and protection of personal data in the EU. EU citizens are given new rights that profoundly impact the way IT are allowed to process and control personal data, which will give individuals back control of their personal information. Effectively, the GDPR gives more rights to the individual over their own personal data. Therefore, as a data processor (somebody who has access to that data), you must be aware of the rights of the individual and how to ensure the protective measures are in place.</p><h3>Does GDPR require that my information be stored in the EU?</h3><p><strong>No</strong>. There is a common misunderstanding that the GDPR requires all data to be stored within the EU, but this is not the case. Rather, the GDPR prevents data from being transferred outside of the EEA without adequate protection, thus organisations dealing with the personal data of EU citizens must be in compliance with EU privacy laws.</p><h3>Who does GDPR apply to?</h3><p>The GDPR applies to any individual or organisation doing business within the EU. As it commences on May 25th, 2018, EU individuals &amp; organisations must ensure compliance with the updated legislation by then.</p><h3>Will Practice Ignition be GDPR compliant?</h3><p><strong>Yes</strong>. We can confirm that Practice Ignition will be GDPR compliant when it becomes enforceable on May 25th, 2018.</p> <h3>What has Practice Ignition done to comply with GDPR?</h3><p>Our compliance, data protection, and information security teams all worked to prepare our services for GDPR. We reviewed our data processing activities, and made any changes that was needed in advance of the GDPR effective date. We have updated our <a href="">Privacy Policy</a>, which provides more detail about what information we capture and for what purposes.</p><h3>Access to your Information (DSR requests) </h3><p>As of now our intention is to service DSR requests (such as delete and export) manually. If you have an account with us, you may access, correct, or request that we delete your personal data by contacting us at [email protected] This request can include personal data of other individuals, like your customers that you have provided to us and who have requested this of you. We will respond to these requests within less than 30 days, as required under GDPR.</p><h3>Security and data center location</h3><p>Practice Ignition's primary data and servers are hosted at <a href="">Heroku</a>'s data center, which uses Amazon's Web Services (AWS). We currently don't have plans to add servers or a point of presence (POP) in the EU (GDPR does <b>not</b> require physical servers in the EU).</p><p>The data center is SOC 1 and SOC 2/SSAE 16/ISAE 3402 accredited and includes keycard protocols, biometric scanning protocols and round-the-clock surveillance. We provide multiple levels of backups and redundancy to ensure uptime and peace of mind.</p><p>We use technical and physical controls designed to prevent unauthorized access to your personal data. We restrict access to personal data only to our employees, contractors and agents who need to know this information in order to operate, develop or improve our service. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.</p><p>For even more detailed information about our security practices, you can review <a href="">our security page</a>.</p><h3>We are here for you</h3><p>We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don't hesitate to contact us at <a href="mailto:[email protected]">[email protected]</a>.</p><h2>What do I need to do?</h2><p>Your engagement letters need to be updated to include new clauses for the replaced legislation. Specifically, clauses that refer to the Data Protection Act 1998. As always, we recommend you consult your lawyer for specific changes. A sample set of Data Protection clauses can be found below:<br /></p><p><strong>Data Protection</strong></p><ol><li>For the purpose of this clause Data Protection Legislation shall mean (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998. <br /></li><li>We may obtain, use, process and disclose personal data provided by you in order that we may discharge the services agreed under this engagement letter, and for other related purposes including updating and enhancing client records, analysis for management purposes and statutory returns, crime prevention and legal and regulatory compliance. <br /></li><li>We confirm that when processing data on your behalf we will comply with the provisions of the Data Protection Legislation. <br /></li><li>We will only process personal data in accordance with the Data Protection Schedule attached to this letter of engagement and not otherwise unless, alternative processing instructions are agreed between us in writing or where otherwise required by applicable law. In such circumstances we shall inform you of that legal requirement before processing, unless applicable law prevents us from doing so on important grounds of public interest). <br /></li><li>If we believe any instruction received from you in relation to the processing of personal data is likely to infringe the Data Protection Legislation we shall promptly inform you and be entitled to cease to provide the relevant service until we have agreed appropriate amended instructions which are not infringing. <br /></li><li>Taking into account the state of technical development and the nature of processing, we shall implement and maintain the technical and organisational measures to protect the personal data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. <br /></li><li>We shall:- <ol><li>not permit any processing of personal date by any agent, subcontractor or other third party without your prior written consent; </li><li>notify you without undue delay and in writing on becoming aware of any personal data breach in respect of any personal data held by us; and </li><li>assist you at your cost in responding to any request from a data subject. <br /></li></ol></li><li>In some circumstances we may need to the transfer personal data outside of the EEA in order to provide the services to you. If this is the case we shall ensure that such transfer (and any onward transfer):- <ol><li>is pursuant to a written contract, including equivalent obligations on the processor in respect of the personal data as apply to us; </li><li>is effected by way of Appropriate Safeguards; and </li><li>otherwise complies with Data Protection Legislation. For the purposes of this clause “Appropriate Safeguards’ means such legally enforceable mechanism(s) for transfers of personal data as may be permitted under Data Protection Legislation from time to time. <br /></li></ol></li><li> You will ensure that you have all the necessary appropriate consents and notices in place to enable lawful transfer of any personal data to us for the duration and purposes of us providing the services to you. You will comply with your obligations under the Data Protection Legislation.<br /></li><li>You are responsible for keeping your personal login details secure, we encourage the use of strong passwords and multi-factor authentication. We will not be responsible for any data breach resulting from unauthorised access of your login details.</li></ol><p><br /></p>