Impexium GDPR Statement
Statement of Direction on GDPR – March 2018
The following is Impexium’s Statement of Direction regarding support of the EU GDPR regulation. It is intended to outline our product direction so that our customers comply to GDPR requirements as a Data Controller. The development, release, and timing of any features or functionality described is at Impexium’s discretion.
European Union’s General Data Protection Regulation:
The European Union’s General Data Protection Regulation (GDPR) is effective on May 25, 2018. GDPR is a set of new data privacy laws across Europe that are designed to protect EU citizens’ and residents’ data privacy and reshape the way organizations approach data privacy. Impexium’s customers are headquartered around the globe and include EU-centered associations and organizations. As a result, Impexium is planning a set of features to assist our customers meet GDPR compliance requirements. Data privacy is a priority for Impexium. We have always strived to meet the highest privacy standards in the industry and are pleased to continue our steadfast commitment to our customers’ data security as we work to comply with GDPR guidelines.
For the purposes of GDPR, with regard to the Processing of personal data, Impexium’s customer is the Data Controller, which is the organization that determines the purposes and ways personal data is processed. Impexium, as a SaaS (Software-as-a-Service) provider, is the Data Processor, which is the organization that processes personal data on behalf of the Data Controller.
What do you need to know? What is it? The GDPR is an EU regulation that includes rules that boost data protection and security for European Union citizens and residents. Experts believe the GDPR will have a huge impact on how data is collected, processed, used and shared.
Does GDPR only apply to Europe or associations headquartered in Europe? No. It also affects the export of data outside the EU and of course it affects any organization that deals with EU citizen or resident data — a vast number of trade and membership organizations interact with European members.
What data does GDPR cover? The definition of personal data is broad and may cover, but not be limited to, professional, public life and private life activities and includes everything from names, postal addresses, images, electronic messaging addresses to IP addresses, posts on social networks, medical information and more.
Impexium’s GDPR Roadmap:
Regardless of whether the EU considers an organization to be a Data Controller (an organization that determines the purposes and means of the processing of personal data – i.e. an association) or a Data Processor (an organization that processes personal data on behalf of the controller – i.e. an AMS provider like Impexium), Impexium’s objective is to address the overall points summarized below:
Opt-In Consent: Opt-In Consent needs to be explicit for usage of the data. This applies to Data Controllers and Data Processors.
Right to Access Data: Organizations must provide EU citizens/residents the ability to obtain from the Data Controller confirmation regarding whether or not their personal data is being processed, where and for what purpose. Upon request, Data Controllers must provide a copy of the personal data, free of charge, in an electronic format to any EU citizen/resident who requests his/her own data. All collected data must be reviewable and editable.
Right to be Forgotten/Erasure: Erasure becomes a universal right. Sometimes known under its previous, expanded iteration as “the right to be forgotten”, this allows individuals to request personal data related to them be deleted. Specifically, any EU citizen/resident has the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Erasure must be across all back-ups and data stores. In addition, 3rd party processors of the same data must be notified of any erasure action.
Data Portability: The right for an EU citizen/resident to receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and have the right to transmit that data to another Data Controller. Individuals have the right to instantly download their data in a computer readable format or any other form of readable material.
2018.01 Release Content Direction for GDPR – Scheduled for April 2018
- The member sign-up wizard will have the option to collect consent from the Individual.
- The date/time when the consent was given will be recorded.
- An option to withdraw consent will be provided. A consent such as ones that are required to proceed (e.g., terms and conditions to join) cannot be withdrawn.
- Consent text can be configured with customer specific content.
Right to Access Data
- The option for the data subject to edit their data already exists in Impexium in an individual’s profile access.
- A “Privacy” tab will be added to the profile to enable the data subject to change their privacy settings.
Right to be Forgotten/Erasure
- In the Privacy tab, staff will be able to erase the data subject’s personal information and cease further dissemination of the data.
- A web hook will be available to notify third party Data Processors or Data Controllers.
- Staff will be able to download and send a PDF compilation of the data subject’s data.
- Via configuration, this option will be available for the data subject as well. When enabled, the data subject will be able to download the file themselves.
Impexium’s Role as a Data Processor:
Impexium will follow instructions received from our customer’s in their role as Data Controllers with respect to personal data, unless those instructions are (i) legally prohibited or (ii) require material changes to the Software. In addition, Impexium will reasonably support Customer or any Data Controller in addressing requests from Data Subjects or regulatory authorities regarding Impexium’s processing of personal data. If Impexium cannot comply with an instruction or if there is a Customer billable cost to comply with the instruction, Impexium will promptly notify the Customer To process personal data, Impexium (and its sub-processors) will only use personnel who are bound to observe data secrecy under the Data Protection Law. Impexium will use the appropriate technical and organizational measures to meet this objective. The current version of Impexium’s Written Information Security Policy can be found on the Impexium Customer Portal. Impexium will promptly inform Customer if it becomes aware of any Security Breach, as documented in the terms of each customer’s Impexium Software Subscription & Services Agreement. Any Impexium sub-processors will have the same obligations as Impexium does as a Data Processor (or sub-processor) with regard to their processing of personal data.
Impexium is continuing to evaluate all GDPR requirements and will consider additional GDPR-related features as we update our Product Roadmap for each release.
In preparation for the 2018.01 Release, Impexium will provide our usual release content presentations and training. We anticipate that Impexium customers’ system administrators will be able to configure the functionality themselves. If you require assistance, Impexium can assist you in the implementation via a Professional Services engagement.
Questions: Inquiries related to this document and related policies can be directed to firstname.lastname@example.org.