General Data Protection Regulation
Strong relationships with our customers and partners are essential. A critical part of these relationships is establishing trust and confidence, which is why privacy has always been a priority for us. With the General Data Protection Regulation (GDPR) that came into effect on May 25th 2018 a lot has changed for the EU data privacy scene.
FluentPro evaluated GDPR requirements and our current security and data privacy practices to ensure compliance with new regulations. To prepare for GDPR, we have undertaken some research and changes, both small and large ones. These include:
- Documenting and maintaining internal Information Security Policy that addresses various aspects of organizational and technical controls;
- Training employees on security and privacy practices, embedding Information Security Awareness training into an onboarding process, and signing NDAs with all employees;
- Providing data transfer mechanisms to legalize transfers of personal data outside of the European Economic Area;
- Providing all customers with a Data Processing Agreement at their request (please request our DPA by contacting us at firstname.lastname@example.org;
- Enhancing data security measures to address requirements on data segregation, data retention, data encryption mechanisms, etc.;
- Providing configurable privacy and compliance features to our customers.
At FluentPro we understand that it is important not only for us to be compliant with GDPR as a data processor, but also for our customers to be able to use our services as a data controller and suit their internal compliance requirements. This is why we are also continuously monitoring guidance and changes that EU supervisory authorities issue on that subject and looking for ways to address them to ensure that our compliance and privacy program remains up-to-date.
What is GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation that replaced the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It came into force on 25th May 2018. The regulation is based on many of the 1995 Directive’s requirements for data privacy and security but includes several new outlines to strengthen the rights of data subjects and add more severe penalties for violations.
Why is GDPR important?
GDPR affects any business that collects data in or from Europe, regardless of whether they’re based in Europe or not. GDPR requires businesses to give individuals greater visibility into and control over the data they provide to those businesses.
The aim of the GDPR is to modernize old privacy laws in order to ensure that the protection of personal data remains a fundamental right for EU citizens. Significant fines of up to €20,000,000 or 4% of global annual turnover, whichever is greater, may be levied on organizations who fail to meet their obligations with respect to handling data under the GDPR.
What is FluentPro’ role under GDPR?
At FluentPro, we create software products and support companies that use Microsoft Project Server 2010/2013/2016 and Microsoft Project Online. Microsoft Project Server / SharePoint adoption requires support and services; we help our customers with Consulting, Planning, Implementation, Administration, Deployments, Business Intelligence, Report Development, and Custom Software Development.
FluentPro acts as a data processor as defined under the GDPR. When customers use our products and services to process EU personal data, we act as a data processor since we process personal information on behalf of and in accordance with the instructions of our Subscribers. For example, we will be a processor of personal data of end-users, employees, or contractors of our Subscribers and other information that is get uploaded into or transferred through our products. Also, we might process the customer information to respond to emails or other requests and provide timely customer support. For example, we will be a processor of personal data when you complete our online forms or if you register and create a profile on our sites. This customer information may include customer name, address, email address, and contact information.
How FluentPro prepared to GDPR
To prepare for GDPR, we have undertaken some research and changes, both small and large ones. You can read about those changes below. We are also continuously monitoring guidance and changes that EU supervisory authorities issue on that subject and looking for ways to address them to ensure that our compliance and privacy program remains up-to-date.
At FluentPro we have thoroughly evaluated GDPR requirements and implemented numerous privacy and security practices to ensure data processor compliance with GDPR. These include:
- Providing data transfer mechanisms to legalize transfers of personal data outside of the European Economic Area (please refer to Cross-Border Data Transfers section for more details)
- Providing configurable privacy and compliance features to our customers.
More details on the mentioned above practices are described further in the paper.
FluentPro continues to make data security our priority and below are some details on specific security measures related to GDPR that we have in place:
- FluentPro services and all customer data are hosted in SOC I-, SOC II – and ISO-accredited data centers
- Access control (authentication and authorization, role-based access control models)
- Single sign-on support
- Two-factor authentication for server access
- Strong data encryption in transit and at rest (FIPS 140-2 compliant encryption algorithms)
- Data segregation
- Continuous network and security monitoring
- Remote working via a corporate VPN only
- Vulnerability management on a monthly basis
- Internal physical security (keycard access and biometrics, surveillance camera monitoring)
For more details on our security measures please feel free to contact us.
The core of our privacy program is that FluentPro employees and contractors (hereinafter “employees”) do not access, use, disclose, or transfer customer data unless it is in accordance with a contractual agreement or at the direction of the customer. Access to production systems and customer data is restricted to appropriate personnel. We use a combination of technical and logical controls to limit and audit the personnel who access systems with customer data. Personnel access is established based on roles, the principle of least privilege, and multifactor authentication. FluentPro employees who might require access to unencrypted customer data as part of their job (such as the Customer Care team) receive additional training on how to work with customer data.
On the application level, customers of FluentPro services have control over their data. As a customer, you can decide which data to upload or enter into the system and who from your team should have access to the data. We usually offer a set of permissions that our customers can configure on their side to manage and control their users’ access to the application.
The GDPR introduces new notification rules for security breaches that lead to the loss, destruction, or unauthorized access of personal data. At FluentPro we have a formal internal incident response plan in place that aligns with these notification requirements and aims at reporting a breach within 72 hours of discovery.
Cross-Border Data Transfers
Strict data protection laws govern the transfer of personal data from the European Economic Area (EEA) to the United States.
Due to recent updates regarding the legal adequacy of the Privacy Shield Framework, FluentPro has incorporated the European Commission’s approved standard contractual clauses, also referred to as the “Model Contract,” into our Data Protection Agreement. The Model Contract creates a contractual mechanism to meet the adequacy requirement to allow for the transfer of personal data from the EEA to a third country.
The EU Data Protection Directive also requires that the data controller (the customer) and the data processor (FluentPro) enter into a written contract documenting that the data processor has appropriate technical and organizational measures in place to protect personal data against threats that include unauthorized access, disclosure, use and processing of personal data, or unlawful forms of processing. This requirement is also fulfilled through the signing of FluentPro’s DPA.
For customers that will transfer data across multiple jurisdictions, please request our DPA by contacting us at email@example.com. We sign the agreement with all our customers upon their request.
Ongoing process changes
We are continuously working to improve our processes related to customer support, product development, and customer data protection. Much of this will be in the format of internal documentation, training, and processes as required by GDPR.
This document is for informational purposes only. Please note that FluentPro does not make any expressed or implied warranties in this paper. If you need more information on FluentPro organizational and data security-related controls to meet GDPR requirements, welcome to contact us at firstname.lastname@example.org for additional details.