The Receptionist & the GDPR
Updated: May 2018
We have been carefully studying the GDPR and understanding the impact on you our customer and the necessary actions we need to take to satisfy GDPR. Here is a summary of what we’ve learned and the actions that we are taking. Please reach out to us at firstname.lastname@example.org should you have any questions.
The General Data Protection Regulation (GDPR), the EU’s new privacy law that replaces the Data Protection Directive 95/46/EC, aims to bring order to a patchwork of privacy rules across the EU. GDPR will be enforceable as law in all EU member states on May 25, 2018. If you would like to read the full GDPR, please find it here.
The GDPR is European legislation designed to harmonize data protection across the EU. It imposes new regulations for companies to protect consumers regarding data processing, access, and security, in addition to tougher enforcement for breaches of the rules.
The GDPR was created around six core principles (Article 5) for personal data and the belief that personal data should be:
- Lawfulness, Fairness and Transparency – Processed lawfully, fairly, and in a transparent manner in relation to individuals.
- Purpose Limitation – Collected for specified, explicit, and legitimate purposes and not processed beyond those purposes.
- Data Minimization – Adequate, relevant, and limited to what’s necessary in relation to the purposes for which they are processed;
- Accuracy – Accurate and, where necessary, kept up to date.
- Storage Limitation – Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and Confidentiality – Processed in a manner that ensures appropriate security of the personal data.
The GDPR contains several new protections and threatens significant penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular attention include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on both controllers and processors.
GDPR and The Receptionist
The Receptionist takes its legal and regulatory obligations seriously. Moreover, we take data privacy and security very seriously. The core of our business involves the collection of visitor data on behalf of our customers, which almost always includes personal data. We constantly work to ensure we collect, process, and share the data we deal with in a lawful, transparent manner.
There are two primary roles in the GDPR structure: Controller and Processor. Our customers collect data from visitors, and as such, our customers are considered the Controller. The Receptionist, which provides a software application for the collection of data from our customer’s visitors, is considered the Processor. As Processor it is our duty to assist our Controller customers so that they may be compliant with the GDPR.
To that end, we wanted to share with The Receptionist community some information about The Receptionists’ practices and procedures related to data collection and GDPR compliance. There are two important features of our technology that allow our Controller customers to satisfy key requirements of the GDPR:
- Remove visitor records – Through the account administration area, our customers can remove individual visit records so that they are no longer accessible. This does not permanently delete the record from our database. Here is a support article describing how to use this feature.
- Set a visitor data retention period – Included in our software is the ability to automatically remove visit records that are older than a certain date. This does not permanently delete the record from our database. Here is a support article describing how to enable this feature on your account.
- Request permanent removal – To have visit data permanently deleted from our database, email email@example.com with the records you would like expunged from our database and we will delete them for you. Once deleted there is no opportunity for recovery.
Security: The Receptionist platform has a large number of enterprise security features that make us the trusted platform for thousands of companies, ranging from small start-ups to the Fortune 100. The Receptionist has implemented appropriate technical and organizational measures to satisfy the requirements of the GDPR, to ensure the level of security of personal data is appropriate to the level of risk, and to help ensure the protection of the rights of individuals.
Some of the highlights of the security measures we’ve put in place include:
- All information is stored on a secure AWS Amazon server via the Heroku hosting environment.
- All traffic to the application from the iPad and browser is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.
- The Receptionist employs two layers of penetration testing and vulnerability assessment: Third-party security testing of the Heroku application is performed by independent and reputable security consulting firms and CodeClimate to perform code analysis and security assessments of our application prior to deploying to our production environment.
- Our hosting partner, Heroku, utilizes ISO 27001 and FISMA certified data centers managed by Amazon.
A full overview of our security architecture can be found by downloading our Security PDF Overview.
GDPR Contract Update: Both The Receptionist (Processor) and its customers (Controllers) are jointly and separately responsible for certain actions under the GDPR. Therefore, the GDPR requires shared responsibility to protect an individual’s privacy rights. GDPR Article 28 requires that a contract be in place between a Controller and a Processor. For years, The Receptionist Terms of Service have provided the fundamental legal requirements and obligations regarding data ownership, confidentiality, processing responsibilities, and more.
However, if you would like to execute a separate Data Processing Addendum (DPA) with The Receptionist with GDPR-specific language, please email The Receptionist at: firstname.lastname@example.org.