Total Synergy’s GDPR statement
- What is GDPR?
- Who does GDPR affect?
- Why should I care?
- How is Total Synergy GDPR compliant?
- A note about storing data in the USA
- Does GDPR affect me?
- It’s a good thing.
What is GDPR?
The General Data Protection Regulation (GDPR) is a wide-ranging European Union (EU) regulation designed to protect the privacy of individuals in the EU. It gives them control over how their personal data is processed, including how it’s collected, stored and used.
Who does the GDPR affect?
The GDPR affects every company in the world that processes personal data about people in the EU. The regulation applies to organisations located within the EU and organisations located outside the EU if they “offer goods or services to, or monitor the behaviour of, EU data subjects”.
The key points here are defining what constitutes personal data, and the business’s role as either a ‘processor’ or ‘controller’ of the data. Here are some definitions for those points:
Personal data: “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Controller: “The entity that determines the purposes, conditions and means of the processing of personal data.”
Processor: “An entity that processes personal data on behalf of the controller.”
In Total Synergy’s context, we’re a controller and processor for data we hold about our employees and customers. In our customers’ context, they are controllers of the data they choose to enter into Synergy. Total Synergy is the processor in that context.
Why should I care?
Aside from the risk of penalty — worst case, organisations can be fined up to four percent of annual global turnover for breaching GDPR or €20 million, whichever is higher — GDPR gives control of personal data back to the people who own it. It makes data protection a core part of companies’ operations and processes. This is more likely to affect large, data-driven organisations first, but small businesses are not exempt.
How is Total Synergy GDPR compliant?
Total Synergy is an Australian company. We have staff and customers in Europe. The GDPR has similarities with Australia’s Privacy Act 1988, so we already act with a ‘privacy by design’ approach. The GDPR goes further and we’ve made changes to comply. This means:
- We proactively design Synergy around data privacy with comprehensive security on the Microsoft Azure cloud platform
- We assess each data collection point for its necessity to the purpose of using Synergy
- We’ve re-written all privacy policies to demonstrate that our collection and use of data is transparent (these were in place before we launched our new cloud product in October 2017)
- We’ve re-written our terms and conditions for using Synergy to ensure consent to collect and process data is unambiguous
- We have designed a process to execute the ‘right to be forgotten’ where applicable — we’ve made it easy for customers to remove personal information from Synergy as controllers.
- Annual data audit
- Company-wide training for all staff and explicit data privacy contracts
- Data breach notification processes
A note about storing data in the USA
Total Synergy uses Microsoft Azure as its cloud platform. Our data is stored in the USA and backed-up in more than one geographic location in the USA. The transfer of data to these US data centres is GDPR qualified through Microsoft Azure’s compliance as a data processor. Read about this here.
Does GDPR affect me?
Probably. We’re not lawyers and can’t offer legal advice, but there’s a chance you will have some data somewhere for an EU citizen or resident. Which means you need to be compliant. We recommend you contact your own legal counsel to find out how GDPR affects you.
It’s a good thing
The GDPR is a good thing. It’s designed to give all of us more control over the data companies collect about us, how we can find out what that is (right to access), in getting a response when asking for it to be removed or updated (right to rectification), in stopping certain data from being used (right to object), and having the data deleted (right to be forgotten).
Read the full text of the General Data Protection Regulation.