Last update: 03/13/2018
What is GDPR?
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR) that be effective on May 25, 2018.
GDPR dictates requirements on how companies should the indviduals' data they process. It also impose greater fines in case of breach.
Livestorm is following closely the developments around GDPR and is actively preparing for compliance.
The new law applies to all the organizations that process personal data of EU residents, even if you're outside EU. These regulations apply to both data controllers and data processors.
In case of non-compliance with GDPR, organizations will face up fines up to €20 million or 4% of annual global turnover.
There are no distinction between B2B and B2C regarding GDPR. Event the past regulations about email opt-out/opt-in are going to align with the GDPR.
What is personal data?
"Personal data" means information about an individual that:
- Can be used to identify, contact or locate a specific individual
- Can be combined with other information that is linked to a specific individual to identify, contact or locate a specific individual (e.g a user ID)
- Is defined as "personal data" or "personal information" by applicable laws or regulations.
Personal data includes contact information (names, addresses, phone numbers), online information (Member profiles, login information, IP addresses), government identification (tax ID, passport), and other data which can be used individually or in combination with other data to identify a person.
Are considered sensitive, personal data that are:
- Sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
- Ethnic origins or race (1)
- Biometric data
(1) Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races.
What is Livestorm doing to be compliant?
Data Protection Officer
We have named a data protection officer that will the gate-keeper for all data processing activities. The DPO will be in charge of training and consulting teams to maintain a compliant privacy level. The DPO will also be in charge of reporting any non-compliant activities.
Finally, the DPO is can be contacted at privacy@livestorm if you have any privacy concerns, questions, or wish to update/create/delete your personal data.
Manual Data Processing
You can already reach out to Livestorm if you wish to update/create/delete your personal data. Feel free to contact our DPO at firstname.lastname@example.org.
Note that you can already change most of your user personal data from your Livestorm account.
Next step: you will soon be able to manage your personal data as a user of Livestorm and your attendees will also be able to manage their own.
Security & Breaches
Our team is actively working on enforcing our security standards to be GDPR compliant. Here's what we already do:
- Personal data encryption
- Database backups
- Database encryption
- HTTPS connections
- Databases in EU
- 2FA authentification and roles to access your personal data
- Computer encryption
- Systematic 8+ characters passwords
- Security trainings
- Privacy & security by design
- 24/7 emergency response
Here are our next step:
- Official ISO certifications alignment
- Media encryption
- Systematic audits & logs
- Automated penetration tests
- Data breach real-time notifications
Livestorm is using several vendors that process your personal data. You can request our vendors inventory to our DPO to learn more about what vendors are used, what kind of data is collected, and if they are GDPR compliant.
Here are our next step:
- Get all vendors to be GDPR compliant
What you should do as a webinar host
As a webinar host, you also have obligations regarding the data you collect via your live events.
This is what you should do from now on:
- Only request minimum data possible (data minimisation) in your registration forms. Only ask what you will use.
- Don't use the webinar invites feature for contacts that have not actively opt-in for your marketing emails.
- Make sure the integration you are using are GDPR compliant before sending personal data from your webinars.
- Make sure that the nature of the data you ask is compliant with EU regulations.
GDPR Progress and Checklist
In this table we have compiled all of our customers questions regarding GDPR and created a questionnaire:
|Is your organisation subject to the GDPR?||Ok|
|Have you assigned a DPO for GDPR?||Ok|
|Have you formally assigned ALL GDPR responsibilities to one or more employees?||Ok|
|Have your Workforce had any information or training regarding the GDPR?||Ok|
|Do you have a policy to provide sufficient staff training on Data Privacy?||Ok|
|Are you aware that the contractual agreement between yourself and the Customer must be updated to reference the GDPR?||Ok|
|Can you perform an Audit to assess the security of the infrastructure used to support the Customer Services?||WIP|
|Do you outsource services that the Customer use to 3rd Parties?||Ok|
|Do you maintain Data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates)?||WIP|
|Do you maintain Data privacy notice that details the organization’s personal Data handling practices on your public facing website?||Ok|
|Do you have a GDPR policy for the Customer Information Security standards and conduct?||WIP|
|Do you have a GDPR policy for the Customer Data Privacy standards and conduct?||WIP|
|Do you have a GDPR policy to maintain policies/procedures for maintaining Data quality?||WIP|
|Do you have Disaster Recovery in place?||Ok|
|Do you perform regular backups of all the Customer Data?||Ok|
|Do you know what the Customer information is held, and where?||Ok|
|Do you use the Customer Data for Marketing?||Ok|
|Do you have a process for conducting regular testing of Data security posture?||WIP|
|Do you have GDPR policies/procedures for the de-identification of personal Data?||Ok|
|Do you have a GDPR process for evaluating Privacy Issues with new ventures; "Privacy By Design"?||Ok|
|Do you have GDPR processes for upkeep of Security Operations; Firewalls, Monitoring, Intrusion Detection?||Ok|
|Do you have GDPR processes for upkeep of Security Infrastructure?||Ok|
|Do you have a process for the destruction of digital infrastructure containing Data?||Ok|
|Do you maintain measures to encrypt personal Data at rest and in transit?||Ok|
|Do you maintain measures to control access to Personal Data; Active Directory, Role Based Access etc.?||Ok|
|Do you have a process to delete the Customer Data after a pre-agreed retention period?||Ok|
|Do you maintain a GDPR process to address complaints internally?||Ok|
|Do you maintain a GDPR process to respond to requests for access to personal Data?||Ok|
|Do you maintain a GDPR process to respond to requests and/or provide a mechanism for individuals to update or correct their personal Data||Ok|
|Do you maintain a GDPR process to respond to requests to be forgotten or for erasure of Data?||Ok|
|Do you maintain a GDPR process to respond to requests to opt-out of, restrict or object to processing?||Ok|
|Do you maintain a GDPR process to respond to requests for Data portability?||Ok|
|Do you maintain a GDPR process to stop all further processing of an individual's Personal Data for the purposes of Profiling, Advertising or Marketing||Ok|
|Do you have a process for Data Breaches?||Ok|
|Do you have a process for serious breach notifications?||Ok|
|Do you have a formal Escalation Process?||Ok|
|Do you have a process for conducting an annual GDPR review?||Ok|
|Are you aware that the contractual agreement must state the subject matter and the duration of the Data Processing?||Ok|
|Are you aware that the contractual agreement must state the nature and purpose of the Data Processing?||Ok|
|Are you aware of the obligations and rights of the Data Controller, (the Customer ), under the GDPR?||Ok|
|Are you aware that the Data Processor must ensure that people processing the data are subject to a duty of confidence?||Ok|
|Are you aware that the Data Processor must take appropriate measures to ensure the security of processing?||Ok|
|Are you aware that the Data Processor must only engage a sub-processor with the prior consent of the data controller and a written contract?||Ok|
|Are you aware that the Data Processor must assist the data controller in meeting its GDPR obligations in relation to data protection impact assessments?||Ok|
|Are you aware that the Data Processor must delete or return all personal data to the controller as requested at the end of the contract?||Ok|
|Are you willing to update your MSA / Contract / Service Agreement with the Customer to reference the GDPR?||Ok|
|Are you willing to update your MSA / Contract / Service Agreement with the Customer to action all six Subject Access Requests?||Ok|
|Are you willing to update your MSA / Contract / Service Agreement with the Customer with pre-agreed SLAs for Subject Access Requests (Items ?||No|
|Are you willing to update your MSA / Contract / Service Agreement with the Customer to action Serious Breach Notifications?||Ok|
|Are you aware that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR?||Ok|
|Are you aware that nothing within the contract reflects any indemnity that has been agreed?||Ok|
|Are you aware that the Customer has the right to terminate any 3rd Party Contract if evidence of non GDPR Compliance is proven?||Ok|
|Are you willing to update your MSA / Contract / Service Agreement with the Customer with items 6, 38, 39, 43 - 53?||Ok|