What is it?

The General Data Protection Regulation (GDPR), is a European privacy law approved by the European Commission in 2016 and will go into effect on May 25th 2018. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC which has been the basis of European data protection law since 1995. The GDPR is an attempt to strengthen, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it’s giving EU citizens and residents control over their personal data while simplifying the regulatory environment for international business that takes place in the EU.

The Data Protection Principles include requirements such as:

• Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.

• Personal data should only be collected to fulfill a specific purpose and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.

• Personal data should be held no longer than necessary to fulfill its purpose.

• People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.

Why is it important?

GDPR adds some new requirements regarding how companies should protect individuals’ personal data that they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. Beyond these facts it’s simply the right thing to do. At Wave Connect we strongly believe that your data privacy is very important and we already have solid security and privacy practices in place that go beyond the requirements of this new regulation.

Training and Awareness

We’ve formed a core privacy team of leaders from each area of the Wave Connect business, headed by our internal Data Protection Officer (DPO). The representatives in this group are the project managers who will ensure all the requirements of GDPR are covered from Marketing to Engineering to People Ops. The team meets once a month to discuss any changes required to ensure that we are compliant. This team is also responsible for developing the Wave Connect GDPR awareness training program and validating that everyone at Wave Connect understands and keeps up to date on the current regulation.

Consent

We’ve updated our Cookie policy to provide you with complete transparency into what is being set when you visit our site and how it’s being used. On our cookie policy page you can also read about steps you can take in order to control how your browser handles cookies.

Data Inventory

We have reviewed and identified all the areas of Wave Connect where we are collecting and processing customer data; categorising and taking inventory of everything from cookies to help desk conversations. Using this matrix we have validated our legal basis for collecting and processing personal data and double-checked that we are applying the appropriate security and privacy safeguards across our entire infrastructure and software ecosystem. Our Privacy policy identifies what we are doing with the data we collect and how we manage consent.

Updates to our third-party vendor contracts

We have reviewed our list of third-party vendors (and in the case of some vendors are currently reviewing) and have and continue to perform a deep review of their GDPR compliance.

Clear and concise terms of service and privacy policy

At Wave Connect we practice transparency internally and we believe that transparency extends to our customers. With our updated Terms of service and Privacy policy we openly describe what personal data we are collecting, processing, why, how we use it, who we share it with, and how long we store it. We have always made an effort to keep the language in our Terms of Service and Privacy Policy as clear as possible and we have updated these notices to describe how we are respecting and protecting your personal data. We hope you find it concise, transparent, intelligible, and easily accessible.

Individual Data Subject’s Rights – Data Access, Portability, and Deletion

We are committed to helping our customers meet the data subject rights requirements of GDPR. Wave Connect processes or stores all personal data in fully vetted vendors. We do store all conversation and personal data for up to 6 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, but we will not hold it longer than 60 days.

Risk Assessment (data protection impact assessments)

Having a managed data protection impact assessment (DPIA) process is a requirement for GDPR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The Wave Connect team has always undergone security and privacy due diligence when making tooling and implementation decisions, so this requirement is an easy one for us. Any time we introduce a change to the way we handle personal data, we spend time discussing the potential impact on customers of Wave Connect and possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate the data privacy and security risk to anyone who interacts with the Wave Connect service. We will continue to execute this risk assessment process as we expand the Wave Connect offerings.

We are here for you

We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data for GDPR. If you have any questions, please don’t hesitate to reach out to support@waveconnect.co .