GDPR - General Data Protection Regulation

Last Updated: May 15, 2018

Data Protection & Commitment to GDPR

My Gadget Repairs is fully committed to being compliant prior to the date GDPR goes into effect. We promise to safeguard your data.

Empower

Empower

Strengthen individual's rights to protection of their data

Secure

Secure

Keep pace with technology, and enhance protection against unwarranted use of personal data

Unify

Unify

Harmonize data protection laws inside and outside the European Union

The regulation ecompasses steps to be taken in all areas of protecting an individual's privacy -- setting up security mechanisms, compliance, repercussions of breach and more. Non-compliance beyond the enforcement date, is liable to attract heavy penalties.

Committed to protecting our customers personal data, My Gadget Repairs is here to help customers and end-users understand significance of the GDPR, its requirements and our allegiance to comply by global standards.

Frequently Asked Questions

What is personal data?
Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as - name, email address or location, and also online identifiers like IP address, types of website cookies and other device identifiers.

For eg: Tickets carrying personal data like name, location, social identity for purposes to record and solve an individual's support requests; CRM software collecting online identifiers to learn prospect activity on from the company website/product.
Who are data controllers, processors and sub-processors?
A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. For eg. My Gadget Repairs is a data processor and My Gadget Repairs's customers (shop owners) are controllers of the EU resident's data.

The GDPR applies to both data controllers and processors. Controllers collect data from the end-user that is the EU resident, for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller's instructions. Processors also use data collected to perform benchmarking analysis, so that it can sell further services allowing controllers to compare their data to industry averages.

Another category called sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR.
Who​ ​is​ ​a​ ​Data​ ​Protection​ ​Officer​ ​(DPO)​ ​and​ ​does​ ​my​ ​business​ ​need one?

The DPO is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR. A DPO needs to be appointed if you:

  • process large amounts of personal data
  • carry out large scale systematic monitoring of individuals or,
  • are a public sector authority
What is the cloud or Software-as-a-Service(SaaS) advantage to meeting data governance policies?
Meeting compliance requires investments in time, effort, cost and expertise. The solution lies in being part of cloud or SaaS ecosystem, that is already operating on a secure model for data management. This provides a safe environment to manage and process your data, and also accommodate efforts required to keep pace with changing policies.
How​ ​does​ ​my​ ​business​​ ​benefit​ ​by​ ​complying​ ​with the​ ​GDPR?

The GDPR helps restore consumer trust by acting as a central authority governing rules of data protection and rights across the EU. The new law allows businesses to undertake opportunities in the digital market while protecting an individual’s fundamental rights.

Businesses can capitalize on opportunities through:

  • Cost savings and less complicated policy management by dealing with 1 law, not 28. This otherwise required expenses and efforts dealing with regulations for each member state locally.
  • Consistency in practice of data protection measures both in and outside the EU. This is because the same regulation applies to all businesses, regardless of where they are based out of.
  • The regulation enables innovation to flourish under the new law.

What you need to know

On 25th May, 2018 the GDPR officially becomes a law that strengthens the fundamental right to privacy for people living in the EU. The regulation mandates need for operational and technological controls for protection against data violation, and grants new rights for individuals in treatment of their personal data. Any company that wants to do business with European residents must comply by the GDPR.

By giving European consumers power to control how their data is used, the GDPR drives businesses all over the world to revisit their data handling policies. Sectors like banking and healthcare have been forerunners in defining their own data-handling laws. And, with the coming of GDPR other businesses now have a broader sense of how personal data should be treated. Businesses have an opportunity to fortify their data protection policies specific to their needs. In short, the GDPR underpins data governance for all kinds of businesses to define data protection rules specific to them.

SCOPE
  • Applies to all businesses processing personal data of the EU resident, regardless of location of the business.
  • Sub-processors or businesses performing data processing for other companies are also accountable for protection of personal data.
  • Standardize data protection laws for residents across all EU states
TREATMENT OF PERSONAL DATA

Businesses to:

  • Exercise stricter control on how data is stored, shared, used and accessed
  • Enhance policies and procedures to ensure lawful processing and more control to the individual
  • Practice governance for transparency, recording and reporting of data protection issues
NON-COMPLIANCE

Failing to adhere to GDPR guidelines post the enforcement deadline of May 2018, companies can incur heavy fines up to €20m or 4% of annual global turnover, whichever is greater.

DATA PROTECTION OFFICER (DPO)

The DPO is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR. A DPO needs to be appointed if you:

  • Process large amounts of personal data
  • Carry out large scale systematic monitoring of individuals or,
  • Are a public sector authority
DATA BREACH

In the event of data breach, controllers are required to notify the relevant Data Protection Authority (DPA) within 72 hours of the occurrence. And if the breach poses high risk to rights of the data subject, then controllers need to notify impacted data subjects without delay. Similarly, data processors are also required to notify data controllers of the breach, without undue delay.

ACCOUNTABILITY

Organisations must prove they are accountable by:

  • Implementing controls to strictly limit use of data, to purposes for which it was collected
  • Establish mechanisms to manage data subject to preferences specified in the consent document
CONSENT
  • Ensure presence of explicit privacy notices wherever personal data is collected
  • Enter into contracts with affiliates and vendors that collect or receive personal data
  • Maintain visible consent proofs in case of processing of personal data
PRIVACY IMPACT ASSESSMENTS

Businesses conducting risky or large scale processing of personal data must:

  • Establish a privacy impact assessment process
  • Administer employee and vendor privacy and security awareness training
INDIVIDUAL’S NEW RIGHTS
  • Establish processes to respond to data subject requests for access, correction, objection restriction, portability, and deletion (right to be forgotten) of personal data
PRIVACY BY DESIGN AND DEFAULT
  • Privacy by design requires businesses to bring in data protection right from development of business processes and new systems
  • Privacy by default automatically applies privacy settings whenever a customer acquires a new product or service

How to begin your journey

Meeting GDPR calls for considerable investment in time, effort, cost and expertise. Businesses, due to various reasons, may find it restricting to meet specified guidelines. One way to solve for this is being part of a cloud ecosystem. SaaS providers already operating on a robust and secure model for data management yield a safe environment to manage and process your data.

  • If your business uses software developed in-house, you need to ensure institution of processes that satisfy principles -- Privacy by design and Right to be forgotten. Saas companies compliant with GDPR, by default satisfy these principles, and you can eliminate costs and effort for compliance by switching to SaaS. Being part of SaaS ecosystem also saves you the effort to tackle new compliance needs.
  • For businesses using on-premise software, the GDPR does not ask for Privacy by design but is required to meet guidelines for secure storage and protection of personal data. My Gadget Repairs is Privacy by design ready and you can find details on our data hosting here.

Therefore, the first step towards compliance is to ask your vendors if they are GDPR compliant, and if they are not, My Gadget Repairs is here to help.

Meeting GDPR can be summarized into 4 stages:

  1. Identify personal data and where it resides: With GDPR around the corner, knowing what personal data you have and where you have it has become a necessity. Locate systems and create an inventory where personal data is collected and stored. Raise awareness about significance of the regulation among organizational leaders and seek executive support.
  2. Assess collection, storage and use of this personal data: Re-examine existing processes and policies against data protection requirements. Assess data protection mechanisms and privacy impact involved in processing of high-risk personal data. These assessments include planning and documenting mitigation measures to help control and minimize these risks.
  3. Implement policies and controls to prevent, detect and report data breach: Introduce privacy notices wherever personal data is collected. Have controls to limit use of data, to purposes for which it was collected. Implement appropriate security measures to detect, respond and report security breaches.
  4. Maintain up to date documentation on data processing and vendor contracts: Document and manage personal data from a central location. Consolidate and maintain up to date documentation to action data requests and report data breaches.
How to begin your journey

Compliance to GDPR can be challenging, but it helps take a holistic approach to delivery of secure products for consumers. This approach to data also helps organizations aim for better business outcomes by staying responsive to new data governance needs.

GDPR at My Gadget Repairs

To strengthen an individual's rights to privacy, the European Union brought about the General Data Protection Regulation or GDPR. Fortifying existing directives on data protection, the GDPR defines guidelines for businesses collecting, storing and processing personal data. The regulation issued by the European Union applies to businesses processing personal data of European residents, and has an enforcement deadline of May 2018.

Effective compliance addresses data privacy and security requirements no matter where your business is located, or what industry you belong to. At My Gadget Repairs we optimize business value from our products and services by adhering to recommended standards and policies. Hence, our cloud ecosystem is capable of providing you with a robust and scalable structure for safe processing of yours, and your customer's data.

Our GDPR compliance practices are supported by 3 principles

Value

Value

Deliver business value by optimizing service efficiency with secure and scalable systems for collecting, storing and processing data.

Collaboration

Collaboration

Increase customer and partner awareness on regulation requirements, ensuring consistent application of data protection measures.

Continuity

Continuity

Drive business performance through continuous improvement, best practices and innovation.

Leading up to compliance before May 2018, is My Gadget Repairs' operative GDPR program comprising of evaluation and updation of our existing Privacy Notice. Our comprehensive GDPR program is supported by key privacy principles -- Accountability, Privacy by Design and Default, Data Minimization and Masking, Subject Access Rights, among others. Our business leaders and key executives are fully aware of the significance and impact of GDPR on ours, as well as our customer’s business. Technology and operations related to the business are subject to regular sensitization programs.

Some aspects of the GDPR program at My Gadget Repairs

Accountability

At My Gadget Repairs, there exists an established Privacy Notice created with support from our leadership. Our leaders commit to support and provide guidelines for data protection compliance through a framework of standard policies and procedures. My Gadget Repairs defines metrics for monitoring and governing health of the Privacy Notice which is independently run under the direct control of the Management Steering Committee.

Customer's Personal Data with My Gadget Repairs

My Gadget Repairs delivers on our customer’s privacy notice objective by enabling comprehensive data flow and process maps for the customer’s data. Periodic and need based Privacy Impact Analysis (PIA) across these data flow and process maps aids in keeping our program aligned with the ever changing business and technology landscapes.

Privacy by Design and Default

Programs, projects, and processes at My Gadget Repairs are aligned to Privacy Principles right from inception of an idea or project, thereby supporting Privacy by Design and Default principles.

Individual Rights, Subject Access, and Communication

The GDPR program thoroughly evaluates how My Gadget Repairs, both as a data controller and processor, is placed with its existing procedures for readiness to,

  • Provide rights of individuals under GDPR and,
  • Assist customers in responding to data access requests from individuals.

The program further evaluates the current Privacy Notice and necessary communication to customers.

My Gadget Repairs Commitment to GDPR

The GDPR enforces cross-border data protection mechanisms for businesses with operations in multiple EU member states. Acting as a central supervisory authority, the GDPR governs data protection issues for all global businesses processing personal data.

My Gadget Repairs as a company is committed to providing secure products and services by implementing and adhering to prescribed compliance policies, both as a data controller and processor. The upcoming GDPR enforcement is critical to our mission of providing EU and all our global customers with safe and dependable business software suite.

For more information or questions about the My Gadget Repairs Privacy Notice, please contact support@mygadgetrepairs.com

My Gadget Repairs Data Hosting

My Gadget Repairs collects, stores and processes customer data, where data refers to all electronic data, messages or other material submitted to My Gadget Repairs by the customer through the customer’s account in connection with the customer’ use of My Gadget Repairs service(s). This data is processed in compliance with applicable laws and regulations for the purpose of providing services in the My Gadget Repairs product suite.

As a data processor, My Gadget Repairs performs operations or set of operations on this data in relation to services offered. ‘Data hosted’ meaning data stored and processed for delivery of these services, also includes data stored for backup and logs. ‘Data’ stated hereby is with reference to definitions specified in the table below:

DATA DEFINITION
Ticket data Information like custom fields, source, tags, attachments, invoices, activities in a ticket
Requestor data Any data on requester's email, id, mobile, name, and phone
Shop User data Includes user details like name, email, contact, location, group information,and user data like name, company information and custom field data
Conversations Shop user detail, company information, contact data and location, messages
Application integration data Information related to the relationship, or linking of one data set to another, with one data set typically residing outside My Gadget Repairs
Knowledgebase content Details pertaining to the article topic -- category, company information and access
Report data Company and agent information, and ticket details

My Gadget Repairs practices minimal collection of data protected with appropriate security measures, and encryption of personal information.

Data Hosting

Data is hosted with data centers qualified by global IT standards and regulations. My Gadget Repairs provides multiple locations to host data (upon purchase of Data Hosting Options). The below table summarizes various data hosting locations available with My Gadget Repairs.

PRODUCT DATA HOSTING DETAILS
My Gadget Repairs Ticket data, requestor/contact data, application integration data,knowledge base data, report data Available worldwide

Backup and logs

My Gadget Repairs maintains a robust backup plan where data is distributed and stored in multiple secure locations. Data backup is retained for a stipulated period and then removed from the system. All personal data is stored and transferred in compliance with applicable global regulations.

Application and customer logs generated as part of services provided are maintained as per established retention limits. Post this period, data records are scheduled for auto-removal. Regular assessments in collaboration with relevant stakeholders is conducted to review existing retention limits, and amendments made as necessary.

Processing Data

My Gadget Repairs processes data necessary for delivery of services in a fair and lawful manner, in compliance with My Gadget Repairs’ Terms of Service and Privacy Notice. This data is processed with appropriate safeguards, which includes encryption of personal information. Processes are in place to ensure data is not kept longer than necessary, and retention limits are established for removal of data. Necessary steps are taken to facilitate correction of inaccurate, and deletion of personal data as required by My Gadget Repairs’ customer. Personal data is processed in a manner that ensures security and confidentiality of personal data, including prevention of unauthorised access to or use of this data.

Service Partners

My Gadget Repairs partners with organizations, that like itself adhere to global standards and regulations. These organizations include sub-processors or third-parties that My Gadget Repairs utilizes to assist in providing its products. Regular assessments are conducted to ensure data is treated in a legal and fair manner, and data is processed only for purposes it was collected. Apart from evaluation for technical requirements, a legal examination for data protection measures, compliance with My Gadget Repairs’ security requirements and security audit report review is conducted before close of contract. Various checks on the service partner’s vulnerability, patch management processes for intrusion protection capabilities in AWS environments are reviewed. Provision for breach notification in the event of unwarranted data incidents, and necessary security measures for protection and recovery of data is made part of initial agreements.

Data Migration

My Gadget Repairs provides data migration options for customers. As a security measure, while moving services from other vendors to My Gadget Repairs, My Gadget Repairs ensures service data is contained within the OVH environment of the product. The OVH environment is subject to required global security standards, and the migration process is executed on the My Gadget Repairs Migration Platform in OVH. Data is erased upon completion of - the process and defined data retention limits. Customers benefit from migrations being automated, and no manual intervention is required.

My Gadget Repairs, while managing data migration requests for its customers, follows a well defined process that’s aligned with guidelines prescribed by global standards. Customers raise a migration request with Support, and are guided through required steps . Once into My Gadget Repairs, data is treated in accordance with guidelines stated in My Gadget Repairs Security Policy.

3rd Party Integration

My Gadget Repairs showcases a collection of applications for integration and productivity with 3rd party systems. All published applications are passed through stringent code reviews, QA and security reviews. Security reviews are primarily focussed on testing for vulnerabilities and forging. The backend services of the applications run on a server-less architecture, and that means developers do not have to go through the trouble of managing and hosting their own infrastructure. Most applications execute completely within the My Gadget Repairs ecosystem, and are subject to IT standards followed by My Gadget Repairs Security Policy.

Sub-processors

Sub-processors are third-party businesses engaged by a processor for performing data processing on behalf of a controller. According to the GDPR, these companies are also accountable for protection of an individual’s personal data. Data protection obligations of sub-processors are to be established by way of contract or other legal acts under the Union or Member State law. This includes providing sufficient guarantees to implement appropriate technical and organisational measures as specified in the regulation.

My Gadget Repairs uses sub-processors (listed below), to assist in providing services as described in the our Terms of Service or a similar services agreement customers may have signed with us.

Governance

My Gadget Repairs partners with organizations, that like itself adhere to global standards and regulations. Apart from evaluation for technical requirements, My Gadget Repairs ensures examination of data protection measures, compliance with My Gadget Repairs’ security requirements and security audit reports before close of contract. Initial agreements include review and approval of - provision for breach notification in the event of unwarranted data incidents, and necessary security measures for data protection.

Agreements

As part of My Gadget Repairs’ revised Terms of Service and Privacy Notice for compliance, My Gadget Repairs provides all EU customers a data processing addendum (DPA) that covers its obligations under the GDPR. You can find our DPA here. It automatically applies to processing of EU personal data and no additional paperwork is required in this regard.

My Gadget Repairs commits to keep this list updated regularly, to enable Controllers stay informed of the scope of sub-processing associated with My Gadget Repairs services.

List of Sub-processors

My Gadget Repairs utilises both infrastructure and services specific vendors to provide product and services to it’s Controllers (My Gadget Repairs customers) and end-users. The following is an up-to-date list (as of 25th May 2018) of names and purpose of My Gadget Repairs sub-processors and 3rd-party vendors:

Infrastructure & Services Sub-processors:

My Gadget Repairs products and services operate on cloud platforms, listed in the table below. My Gadget Repairs holds control and access to data hosted on these services, and resides in corresponding data center facilities based on location or choice(plan) of the Controller (My Gadget Repairs’ customer). Data subsequently remains in the data center unless, shifted to ensure performance and availability of services, or specifically agreed between the Controller and My Gadget Repairs as per needs of the Controller. The following table describes the services and purpose for which these infrastructure service providers have been engaged.

To be able to provide specific functionality within its products and services, My Gadget Repairs partners with third-party services. These entities are sub-processors with access to service data (limited to purpose and use of indicated services) and are listed in the table below:

VENDOR PURPOSE DATA CENTERS PRODUCTS
OVH Limited Primary cloud infrastructure provider for My Gadget Repairs, where all SaaS applications are hosted. Almost all data stored, processed and transmitted through My Gadget Repairs products and services resides on OVH data centers. EU MygadgetRepairs