On May 25th, 2018 a new privacy law goes into effect across the European Union (EU). It is called GDPR or General Data Protection Regulation. Any organization that does business in the EU is required to adhere to GDPR. As a company that not only does business in the EU, but has a major office in the EU, Base is committed to becoming fully GDPR compliant by the May 2018 deadline.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a new European privacy regulation that aims to strengthen the security and protection of personal data in the EU and unify EU data protection law.
GDPR improves business practices, assures that Employees and Customers are informed and given choices in the information collected and kept about them, and makes the conforming businesses, as better businesses.
To whom does the GDPR apply?
All organizations operating in the EU that are processing Personal Identifiable Data of EU residents are required to adhere to GDPR.
What are Personal Identifiable Data?
Personal Identifiable Data is any information that identifies an individual, describes, or is about an individual is personal data.
What implications does GDPR have for organizations processing the personal data of EU residents?
GDPR has been designed to create consistency on how personal data can be processed, used or exchanged securely. To comply with GDPR, organizations will need to implement and regularly review policies and procedures, as well as measures that would ensure the security of the data that is being processed.
Base as the Data Processor
As a Base Customer, you are utilizing the Base platform to store data about your Customers. Therefore, you are considered a Data Controller of the personal data of your Customers. As the Data Controller, you bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law.
We also provide Data Processing Agreement to our Customers, to reflect the parties’ agreement with regard to the Processing of Personal Data of Customer, in accordance with the requirements of Data Protection Laws.
Base as the Data Controller
Base acts as the Data Controller for the personal data we collect about our Customers.
How has Base been preparing for the GDPR?
As a company that not only does business in the EU, but has a major office in the EU, Base is fully committed to GDPR. Over the course of the past months, we’ve taken many steps to ensure our readiness to comply with GDPR:
Cooperation with TrustArc
To ensure we’re GDPR-ready by May 25th, we engaged technology compliance and security company TrustArc, for consultancy and expertise in all GDPR areas.
Over the course of our cooperation, we have gathered information, analyzed it in the light of GDPR and introduced needed changes and processes that were recommended by the aforementioned party.
Internal processes and data security
We worked with all departments to inventory the personal data we collect and assure it is handled properly, and that we meet our obligations as a company. This resulted in introducing several internal processes ensuring full security of data of our customers.
Readiness for GDPR-related requests from our Customers
Within our role as a Data Processor, we’ve prepared our systems to support our customers in their efforts to comply with GDPR as a Controller. Additionally, this FAQ will be routinely updated with frequently asked questions.
If you have any questions in regard to our support in handling those requests, please reach out to [email protected]
Yes, we have updated the Base Data Processing Agreement, an amendment to the Contract with our Customers, that reflects the parties’ agreement with regard to the Processing of Personal Data of Customer, in accordance with the requirements of Data Protection Laws.
To request a signed DPA please download the agreement here and send the completed document to [email protected] to be countersigned.
We’ve conducted several trainings in Base team to prepare our staff and ensure adoption of processes focused on the security of data. Apart from global team trainings, and available resources available for everyone in the team, each department receives a custom training on processes that involve handling of personal data.