EZRentOut is fully GDPR compliant.
This post will take you through what this means, and shed light on the functionality we’ve added to become compliant to the General Data Protection Regulation (GDPR).
What role do I play within the GDPR compliance framework?
In order to understand your place within this regulation, we need to flesh out three roles:
- Data Processor: The body that processes personal data on another body’s behalf.
- Data Controller: The body that determines the purpose and means of processing the personal data provided.
- Data Subjects: The individuals whose data is being processed.
There are two ways in which the GDPR terms might apply to you.
- You as the Data Subject:
You are a citizen of the European Union and your data is being stored in EZRentOut. That makes you our Data Subject. Therefore, we must abide by the terms of our GDPR compliance to ensure we respect your data rights.
- You as the Data Controller:
We are the Data Processor, processing the data of your end users on your terms. This makes you the Data Controller, and your end users (such as staff, customers, vendors) the Data Subjects. Therefore, you must abide by the terms of GDPR to ensure you respect the data rights of your end users.
In short, EZRentOut is not only GDPR compliant itself, but also enables you as a Data Controller to become GDPR compliant. You can read on to see how this plays out with reference to the new functionality we’ve added to EZRentOut
How did EZRentOut become GDPR compliant?
EZRentOut appointed a Data Protection Officer in mid-2017. Our Data Protection team followed industry best practices to draft a roadmap to GDPR compliance. This included mapping data flows into and from our organization, and using this to identify risks in our data processing workflows. We then began carrying out the necessary data protection impact assessments, all of which ultimately culminated in the following:
We take your data security extremely seriously. To this end, we have combined new and existing security features to lower the chances of data breaches – either at our end, or at the hands of Data Subjects.
- We are ISO 27001 certified. This is an international standard describing best practices for all information security management systems.
- All the data we process is encrypted using the AES-256 encryption specification.
- We are in the process of being certified under the EU-US Privacy Shield Framework.
- Our user roles enable you to set permissions for your employees.
- We are hosted on the Amazon Web Server (AWS). For more information on the security measures they have in place, click here.
GDPR Compliance: You as a Data Subject
We’re providing you as a Data Subject with a list of tools that can help you with your data rights. These tools will provide you with:
- The ability to view or edit your profile information that has been added to EZRentOut.
- The ability to receive information on any data collected on you, including the purpose of gathering the data, and the duration for which it will be stored by us.
- The right to call for the access, alteration, or deletion of said data.
- The right to opt in to certain features, such email marketing, newsletters, Super User access, etc.
- The ability to send complaints and queries specifically related to the GDPR directly to the EZRentOut Data Protection team.
GDPR Compliance: You as a Data Controller
We’re also providing you as a Data Controller with a list of tools and features that can enable you to achieve GDPR compliance with ease. These provide you with:
- The ability to log the details of your Data Protection Officer and EU Representative.
- The ability to manage data in accordance with GDPR standards.
We already have rich features in place to support the management of our customers’ data. To expand on this functionality for GDPR compliance, however, we’ve added the following new features:
Declaration of Consent:
You will be able to inform relevant Data Subjects – such as users, customers, and vendors – that their information is going to be kept in the system. For this purpose, we’ve extended your ability to send confirmation emails to all such parties, such as:
- Customers created through LDAP
- Non-login customers (that is, customers who don’t have the ability to log into the system)
- Users registered through SAML
- Non-login users (that is, users who don’t have the ability to log into the system)
- Vendors created
These emails also prompt users to choose whether they would like to receive notifications from EZRentOut.
Data Subjects will be provided the right to data portability. This means they can request access to all their data. For this purpose, we’ve extended your ability to export data by adding the following categories to EZRentOut reports:
- Address Book
Data Subjects can request that all their data is deleted from the system. The GDPR refers to this as ‘the right to be forgotten’. We have a new deletion feature out to accommodate this. In order to preserve the integrity of our users’ data, however, in some cases we simply redact personally identifiable information so that your records remain consistent. This happens in cases when individuals are associated with orders, purchase orders, work orders, services, items, or any other items that might affect our customers’ data history.
Have any questions?
We’re committed to protecting your digital rights. If you have any questions around this issue, feel free to write to us at firstname.lastname@example.org