Studio Designer GDPR &Data Security Overview
Introduction
The General Data Protection Regulation (GDPR), the EU’s new privacy law that replaces the Data Protection Directive 95/46/EC, aims to bring order to a patchwork of privacy rules across the EU. GDPR will be enforceable as law in all EU member states on May 25, 2018. And despite Brexit coming into effect, GDPR will still be implemented across the UK as a replacement to the Data Protection Act. If you would like to read the GDRP, please find it here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
The GDPR is European legislation designed to harmonize data protection across the EU. It imposes new regulations for companies to protect consumers regarding data processing, access, and security, in addition to tougher enforcement for breaches of the rules.
The GDPR was created around six core principles (Article 5) for personal data and the belief that personal data should be:
- Lawfulness, Fairness and Transparency – Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Purpose Limitation – Collected for specified, explicit and legitimate purposes and not processed beyond those purposes.
- Data Minimization – Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed;
- Accuracy – Accurate and, where necessary, kept up to date.
- Storage Limitation – Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and Confidentiality – Processed in a manner that ensures appropriate security of the personal data.
The GDPR contains several new protections and threatens significant penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular attention include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on both controllers and processors.
GDPR and DesignersAxis
DesignersAxis takes it legal and regulatory obligations seriously. Moreover, we take data privacy and security very seriously. A central component of our Studio Designer product involves the collection and dissemination of customer account data, which almost always includes personal data. We are constantly working to ensure we collect, process, and share the data we deal with in a lawful, transparent manner.
To that end, we wanted to share with the Studio Designer community some information about DesignersAxis’s practices and procedures related to data collection and GDPR compliance.
Security: The Studio Designer platform, using SalesForce as its backbone, is packed with enterprise security features that make us the trusted platform for over 6,000 designers. SalesForce has implemented appropriate technical and organizational measures to satisfy the requirements of the GDPR, to ensure the level of security of personal data is appropriate to the level of risk, and to help ensure the protection of the rights of individuals.
Read more about those protections here: https://www.salesforce.com/blog/2017/07/salesforce-gdpr-july-2017.html
GDPR Contract Update: Both DesignersAxis (processor) and its customers (controllers) are jointly and separately responsible for certain actions under the GDPR. Therefore, the GDPR requires shared responsibility to protect an individual’s privacy rights. GDPR Article 28 requires that a contract be in place between a controller and a processor. For years, the DesignersAxis Master Subscription Agreement has provided the fundamental legal requirements and obligations regarding data ownership, confidentiality, and security of data, and more.
However, if a customer of DesignersAxis desires to update their agreement with DesignersAxis with a GDPR-specific language, please email DesignersAxis at: contact@studiodesigner.com
GDPR | DesignersAxis FAQ
1. What is your GDPR compliance strategy?
DesignersAxis takes its legal and regulatory obligations very seriously. We have been, and continue to be, reviewing our operations—in particular, our collection and processing of personal information—to determine what, if any, GDPR obligations apply to us as processors of our customer’s personal information. To the extent we are directly subject to GDPR, we will definitely comply. Currently, we do not believe GDPR directly governs our business or service as a controller of personal information. However, we are aware that GDPR may apply to our customers, and that part of our customers’ compliance obligation may be to enter into a data processing addendum (DPA) with DesignersAxis. To the extent we are a processor for our customers, we will enter data protection addenda that complies with GDPR to help our customers meet their regulatory obligations. If you are a customer of DesignersAxis and you desire to update their agreement with DesignersAxis with a DPA, please email DesignersAxis at: contact@studiodesigner.com.
Through the DPAs we sign with customers, we are obligated to adopt certain GDPR security standards, processes and procedures. One of DesignersAxis’s obligations under a GDPR compliant DPA is to have DPAs with DesignersAxis’s own data processors, a process which DesignersAxis has undertaken.
2. Are you Privacy Shield certified?
Currently, DesignersAxis is not Privacy Shield certified. Learn more about Privacy Shield here: https://www.privacyshield.gov/Program-Overview. Instead of relying on Privacy Shield, DesignersAxis will agree to the Standard Contractual Clauses in situations where a customer is required to show data security adequacy of its data processors.
Have a question on GDPR?
Do not hesitate to get in touch to find out more about our changes and how we are helping you comply by emailing us at contact@studiodesigner.com.