The new European General Data Protection Regulation (GDPR) came into force from May 25th, 2018. Since the regulation was announced last year, Kissflow has been working towards becoming GDPR compliant. For this purpose, we made a lot of changes to our processes related to data security and how we handle personal data.
Today, we are happy to announce that Kissflow is GDPR compliant.
Kissflow’s Journey Towards GDPR Compliance
1. Identifying Internal Data Collection mechanisms and mapping it to Personal Data being collected.
The first step we took towards GDPR was to identify and document all the channels and mechanisms we use to collect Personally Identifiable Data from EU Data Subjects. We mapped the type of personal data being collected to the channels for better identification.
2. Purpose limitation, Data minimisation and Storage limitation
Once we mapped the Personal Data with the data collection channels, we made sure controls are in place so that the collected data is processed only for the purpose it was collected. We also removed any personal data that was not business critical and defined how long stored this data.
3. Data Protection Impact Assessment
We carried out Data protection impact assessments (DPIA) to help identify, assess and mitigate or minimise privacy risks with data processing activities.
4. Legal basis for Processing Data
Kissflow uses Consent, Legitimate Interest and Contracts as a legal basis to process depending on the personal data we collect. We identified the legal basis and mapped itto personal data we collect.
5. Individual Rights
We created our own internal process on how we respond and resolve requests from data subjects regarding individual rights. These rights include right to information, right to rectification, right to access, right to erasure, right to restrict processing, right to data portability, right to object or right not to subject to automated decision making including profiling.
We conduct regular vulnerability tests and annual penetration testing as part of our ISO 27001 audits. We make sure suitable security measures are in place to ensure the confidentiality, integrity, and availability of Information. We also use pseudonymisation through encryption and Hashing to make sure all personal data is protected. We are taking appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
7. Processing of Personal Data outside of EU
Under GDPR , the EU doesn’t allow the transfer of data on its citizens outside of the country unless the Controller has adequate mechanisms in place to ensure the security of personal data. Kissflow is EU-US Privacy Shield certified, which we decided to use as the legal basis to export personal data out of EU.
Kissflow has signed agreements with Sub-processors instructing them how to process personal data and also ensuring they are GDPR compliant too.
We also created a Data Processing Agreement (DPA) , which regulates our responsibilities as a host, thus allowing our clients to have GDPR compliant sites themselves, if they need to. This document also describes how we communicate to the customers if there’s a breach and respond to requests from data subjects.
10. Website updation
GDPR is not a one-time effort. It’s a continuous process and we will be making sure we review our processes regularly to make sure we do not breach any obligations set forth by GDPR and also closely follow more updations to the regulation.
If your business processes the personal data of EU data subjects and you want to run that data through Kissflow, we’ve got you covered.