On May 25, 2018, the EU General Data Protection Regulation (GDPR) goes into effect. The purpose of this new regulation is to strengthen even further the protection of EU residents’ personal data, and increase the accountability of organizations that collect and handle that data. At ServiceRocket, we have been working hard on educating our employees on the new requirements, and updating our processes to make it easy for our EU residents to access, erase and ask questions about the personal data we may hold about them. In addition, we’ve been working to understand how we can help our enterprise customers comply with this regulation when using our products.
GDPR and role definitions
One of our core values at ServiceRocket is Delight the Customer, and we take our customers’ data privacy and security very seriously. By May 25th and beyond, our highest priority is to enable easier compliance with GDPR across all ServiceRocket products.
Under GDPR, there are two main roles when it comes to how a company interacts with user data -- they are defined as either data controller or data processor. You are considered a data controller if you’re collecting personal data for your company’s use. ServiceRocket is considered a data processor because we process personal data on behalf of you, our customer. As we work toward our compliance as a data processor, we’re also here to help you with your compliance needs.
GDPR and compliance processes
While each of you has the responsibility to define your own internal practices to be compliant with GDPR, ServiceRocket will help you as the data controllers in the following key areas:
- Right to erasure: Your users can request that their data, stored by ServiceRocket, is anonymised at any time. You have the responsibility to put the process in place to collect requests for data erasure from your users. You will then pass that request over to us by sending an email to firstname.lastname@example.org and we will take the necessary action to ensure the person’s data is anonymized in our systems. We will retain a non-anonymized backup of the data for one week. Restoration of the data may be subject to reasonable costs, and any consequential data loss.
- Consent to data capture: When your users sign in to our subscription products, they’ll confirm that they consent to their information being collected. If they do not consent, they will not be able to sign in.
- Data security: Our team is constantly working on enhancing our products’ security and privacy features. However, if we have a reason to believe your data may have been compromised, we will notify you promptly so you can inform your users, per GDPR requirements.
Please, note that in cases where we have implemented integrations for our customers, the personal data being stored in these solutions will be the responsibility of the customer as the data controller, and we will act merely as a conduit in such circumstances.
We suggest you consult your own legal counsel if you have further questions about GDPR requirements for your organization. If you have specific questions about your compliance needs around data management, we’re happy to help.
Feel free to email email@example.com at any time.