Names & Faces and GDPR — the General Data Protection Regulation
At Names & Faces data security and privacy of personal information are of great importance. Given the nature of our business, establishing a deep foundation of trust with our clients is key to our success.
For the past eighteen months we’ve been working with independent auditors and legal teams at Deloitte Cyber Security & Lewis Silkin to prepare for GDPR (the new European data protection law coming into effect on 25 May 2018) to ensure that we understand our GDPR obligations.
GDPR applies to all companies processing data of European Union citizens, regardless of whether a company is based within the European Union or not. We’d like to explain how the GDPR requirements will apply to the Names & Faces service and to our role as a data processor.
What is GDPR about?
Generally speaking data privacy laws across the globe provide for the idea of privacy as a fundamental right. This includes that organisations should keep track of what data they own, who controls it, how it is being processed and how it is secured.. The GDPR has been introduced, considering technological changes such as social media interaction, cloud storage, and other technological developments of modern times, that did not exist when privacy laws were initially drafted and implemented. The GDPR ensures a consistent application of data privacy legislation across the European Union and it places stringent requirements on companies to keep track of what personal data they have on hand, who controls it, how it is being processed and how it is secured.
We’ve been preparing for this for some time
Being a young company with new systems, we have an advantage over older companies when it comes to GDPR compliance. Many older and bigger companies have complex IT setups with data stored in numerous scattered and unconnected systems — many of which they’re not even aware of. We‘ve known about the introduction of GDPR since our inception, so we’ve built our systems from the ground up to ensure: we always know where the personal data is that we hold; we know how long we’ve held it for; we have the necessary permissions to process it; and we’re able to edit it, export it or delete it if given instruction to do so by the person or organisation to whom it belongs.
When providing the Names and Faces service, we act as a data processor for you — our client — who is the data controller. We use personal data received from you as authorised by you and in terms of our agreement with you. Below we’ve highlighted the main aspects of the regulation that apply to the Names & Faces service followed by a short explanation of how we comply.
The processing of personal data should be “adequate, relevant and limited to what is necessary for the purposes for which they are processed”.
At Names & Faces, we only ever process data received from you on your instruction and will not process data received from you for use in any contexts other than those agreed to in our Client Terms of Service.
Users agree that we track their activity for statistical and analytical purposes. This tracking helps us improve our service, report back to our clients on how their users are making use of the Names and Faces service and helps us to monitor whether users are abiding by our Acceptable Use Policy.
The period for which the data is stored is limited to a minimum.
The Names & Faces service is simply a reflection of the data you, as our client, provide to us. We store backups of your current data for a maximum of 60 days after which point these backups are permanently deleted from our systems.
Personal data shall be accurate and kept up to date.
The accuracy of the data displayed in Names & Faces is a reflection of the data you, as our client, provide to us for processing. Our service allows data to be updated or corrected.
Personal data shall be protected from unauthorised access, illegal processing and loss.
We adopt several world class security measures to protect the data in our systems from unauthorised access, illegal processing and loss. All services in our ecosystem make use of two-factor authentication. We’ve implemented Data Loss Prevention (DLP) on our email clients and cloud storage systems which monitors, protects and alerts us to the unauthorised accessing of sensitive data. All client data is stored on Amazon Web Services (AWS) in a database managed by AWS. All client data stored in our databases is encrypted whenever in transit between the server and any Names & Faces Service.
When a user leaves an organisation that subscribes to the Names & Faces service, the system revokes their access and all data is remotely wiped from their device, preventing unauthorised access.
A data protection officer has to be designated who is responsible for monitoring compliance with GDPR and makes sure that personal data is safe and secure.
We have appointed a data protection officer. Together with our CEO he is also heading up an internal project to certify Names & Faces as ISO27001 compliant. We aim to achieve this certification by the end of 2018.
All relevant people have the right to receive a copy of their data, the right to correct and restrict their data as well as the right to erase data.
For Clients: you may request an export of your data from us, you may correct your data through our administration system or have your data deleted from our systems by submitting a request to us which we’ll fulfil within 48 hours.
For Users: Since users are granted access by virtue of our agreement with our client, users can request an export of their data, the correction of their data or the deletion of their data from their master administrator, who can then carry out that request or communicate it to Names & Faces which we will fulfil within 48 hours.
Frequently Asked Questions
How do I find out about Names & Faces data practices?
What information will be included in an export of my data?
Data exports will include all data originally provided to us by our client along with associated and identifiable usage data. This will be shared as a CSV along with a folder of all related photographs.
What information will be deleted upon my request for deletion of user information?
We will delete all data and photographs originally provided to us by our client including associated and identifiable usage data.
How do I request export or deletion of my data?
Please email us at firstname.lastname@example.org to request an export or deletion of your data.
Does an organisation require its employees to give their consent to be featured in Names & Faces?
Employers may require their employees to give consent, depending on the type of personal data. Often an organisation does not need to obtain each employee’s consent to include them in Names & Faces, because Article 6. 1 b) of the GDPR says that “…if processing is necessary for the performance of a contract to which the data subject is party, the processing is lawful.” In this case, since your employees are contractually employed by the organisation and the organisation has chosen Names & Faces as a necessary service within the organisation, processing employee data for purposes of the Names & Faces service is lawful.
If you have any other questions relating to GDPR, please free to contact us.
Please note this article has been prepared for general information purposes only; it is intended to help you to learn more about Names & Faces’s position on GDPR. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.