The General Data Protection Regulation (GDPR) brings wide-ranging changes to the way that personal data will be managed within Europe. It comes into effect on the 25th May 2018 and replaces the current 1995 Data Protection Directive. The GDPR grants individuals more rights regarding data relating to them and places greater obligations on data controllers and processors related to the handling of personal data. It also seeks to streamline the international businesses environment by aligning data protection laws throughout Europe.
Asset Bank is committed to GDPR compliance. We are also committed to supporting our customers with their compliance journey by ensuring appropriate security and privacy considerations are built into our services and contracts.
Our commitment to GDPR
Our organisation wide GDPR compliance programme is well underway. As a processor for our customer's data, we are focused on implementing the appropriate technical and organisational measures to ensure that processing will meet the requirements of the GDPR. This includes engaging with experts in data protection to help us update our internal policies and practices, as well as developing the information we provide to customers.
We have included below the information we have available so far to support you in your compliance activities.
As our programme progresses and as additional further guidance is released we will publish further information to support our customers to get ready for GDPR.
Data processing agreement
Our Data Processing Agreement (DPA) sets out our commitments to the data security and privacy of our customers in line with the GDPR. This reflects all of the contractual requirements as defined by the GDPR including our commitments to:
- only process your data in line with your instructions
- maintain the confidentiality of your data and ensure sufficient staff training on data protection
- ensure appropriate security of, and access to, your data
- provide relevant data retention and deletion policies
- support controllers by facilitating data subjects rights and with incident notifications
- utilise sub-processors and international data transfers in a compliant manner
Our DPA is currently available upon request if required by you to understand our approach as part of your compliance programme.
We will be making this DPA available to all customers in near future and allowing customers to sign up to the agreement. Existing customers will be able to sign up to the DPA as a supplementary agreement to their current terms with us. For new customers, this agreement will be incorporated into our standard terms of business.
Once customers have signed up to the agreement it will take effect from 25th May 2018 when the GDPR comes into effect.
Asset Bank uses a select number of sub-processors to support the delivery of our services. Each sub-processor has been assessed for their ability to provide appropriately secure services and are themselves providing relevant assurances, policies and Data Processing Agreements that we have entered into.
We are also monitoring the ongoing compliance work of our providers and adjusting our own processes to make the most of any additional privacy options available.
Our current list of sub-processors are:
|Amazon Web Services Inc||Hosting services for our Shared and Dedicated hosted Asset Banks||USA, with our servers located in the EU, USA and AUS|
|Zendesk Inc||Helpdesk support platform||USA|
|Google Inc||Email and administrative support applications||USA|
This list will be kept up to date with any changes to our subprocessors. You can sign up to receive email notifications about any proposed changes by e-mailing email@example.com.
International data transfer
For customers using our Shared or Dedicated hosting services, the data in Asset Bank is hosted by Amazon Web Services (AWS). Customers are able to select the region that their Asset Bank will be hosted in, with the choice between the EU, USA or AUS data centres. This allows EU customers to ensure the hosting of their Asset Bank data resides in the EU.
Additionally, the GDPR gives multiple ways for personal data to be transferred outside of the EU. This is relevant for the processing of personal data that may occur, upon request of our customers, for support and consultancy purposes. The purposes of these schemes are to ensure that international data transfers can continue to take place while making sure that appropriate controls are in place when data leaves the EU.
Where appropriate, the EU-U.S. Privacy Shield, Binding Corporate Rules and the European Commission-approved Standard Contractual Clauses offer mechanisms by which organisations can transfer data outside of the EU in a GDPR compliant manner.
All of our sub-processors commit to using these methods, as appropriate, to ensure the controlled transfer of data outside of the EU. Additionally, all of our providers make strong commitments related to the restriction of access to the data that is stored with them.
Asset Bank privacy features
Asset Bank itself has several features that support our customers with their compliance, including:
- Role-Based Access Controls - maintain appropriate controls of personal data and assets
- Approval Workflow - further control of data upload and access
- Managing users - including flexible user data fields and user expiry functions
- Asset lifecycle management - automatically control the visibility of your assets
- Reporting - to keep track of how Asset Bank is being used, and by who
- OAuth 2.0 log in options - for secure API access
- Password protected lightboxes - securely share content externally to Asset Bank
- Secure cloud hosting with Amazon Web Services - by May 2018 our hosted services will include encryption of all user details, as well as of assets themselves
For more information on these different pieces of functionality and how theny can help you control the privacy of your users or assets, please select the embedded link to view the relevant article.