General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) is a sweeping new data protection law passed by the EU Parliament which becomes effective on May 25, 2018 and is aimed at strengthening the data protection rights for individuals located in the EU. Clarabridge has completed its preparations and is committed to GDPR compliance across all our products and services when enforcement begins on May 25, 2018. At Clarabridge, we are fully committed to privacy, security and data protection for all our customers’ data.
The following information outlines certain key principles of GDPR and what we have done to prepare ourselves to meet GDPR requirements. Please note that this document does not provide legal advice and should not be used as such.
GENERAL DATA PROTECTION REGULATION
GDPR replaces the Data Protection Directive 95/46/EC; standardizing the practices for data protection for all companies providing goods and services and managing data for persons located within the EU, regardless of where the company is located. The European Union (EU) enacted GDPR to govern the collection, processing, use and storage of personal data of these protected individuals in a manner designed to unify data privacy requirements across the EU. The EU designed the legislation to provide EU citizens with greater protections and rights as individuals and Clarabridge fully supports these landmark protections.
1.1. “Data subject” is defined under GDPR for personal as “any information concerning an identified or identifiable natural person.” This includes the name, identification number, online identifier, location, and an individual’s economic, cultural, social, physical, physiological, genetic, and mental identity.
1.2. “Processer” (Clarabridge) includes a legal or natural person, agency, public authority, or other body that processes personal data for a Controller.
1.3. “Controller” (Clarabridge customers utilizing our SaaS Services to ingest personal data of persons located within the EU) includes any agency, public authority, legal person, or other body responsible for determining the reasons and means for processing personal data.
GDPR KEY CHANGES.
Below are some of the material changes occurring to the previous set of data protection laws applicable in the EU when GDPR becomes effective:
2.1. Expanded rights for individuals: GDPR expands the rights of individuals (Data subjects) in the EU, which gives them more control over data and enables them amongst other things the ‘right to be forgotten’ (forget me please) and ‘portability’ (give me what you have on me, please and thank you). The Clarabridge SaaS Services contain tools that allow our customers to comply with any such requests and Clarabridge is ready to assist our customers in addressing any such requests that come in from their customers.
2.2. Compliance obligations: GDPR states that formal binding agreement should be executed between the Controller and Processor of personal data (called a Data Processing Annex, or DPA). The DPA should describe the data processing activities being carried out. Clarabridge has worked with world-class outside counsel to update its form DPA to be fully GDPR compliant and is proactively offering it to all customers that are not already party to it as a result of their agreeing to the Company’s terms of service. This form DPA may be viewed here: https://www.clarabridge.com/EU_DPA/. If you are not party to our online terms of service and have not received this DPA from us, please email us at email@example.com and we will forward a signed copy of the DPA to you for your counter-signature.
2.3. Security and compliance: Under GDPR, organizations must implement appropriate security measures, policies and protocols, perform a privacy impact assessment, and maintain detailed records of data processing activities. Clarabridge evaluated its current security measures, policies and procedures to ensure that we are compliant with GDPR security requirements. GDPR also requires a privacy impact assessment, which we concluded to determine our compliance with specific requirements applicable to us. Lastly, we have taken steps to ensure our records for data processing activities are aligned to GDPR requirements.
Violations under GDPR apply to Controllers and Processers, depending on the violation, fines can be imposed by the DPA up to 4% of annual global turnover—or €20 million—whichever is greater. There is also a tiered approach to fines, but as of the time of this writing, the tiers have not been thoroughly researched.
WHAT ACTIONS ARE WE TAKING
4.1. Clarabridge has assembled a GDPR working group comprised of members of our Legal, Technology, Information Security, Operations, and Development teams, along with a panel of outside experts, to ensure we evaluate and adhere to all GDPR requirements.
4.2. As a Processor of data of persons located within the EU on behalf of our customers, in anticipation of GDPR, we have reviewed and updated where needed our terms of service as well as our Data Processing Annex https://www.clarabridge.com/EU_DPA/ to comply with GDPR standards.
4.3. Our team has evaluated our current products and services to ensure we are able to support the various GDPR defined rights of individuals including, among others, the ‘right to be forgotten’ and ‘portability’ requirements that will be applicable upon the request of such individuals. For future products, we are ensuring we apply Data Protection and Design principles throughout our software development lifecycle.
CLARABRIDGE GDPR ROADMAP STATUS
- Stand up a corporate GDPR working group (DONE)
- Review and modify our Services Agreement, including seeking expert consultation on GDPR (DONE)
- Data Protection Officer appointment (DONE)
- Research business and product impacts because of GDPR (IN PROGRESS)
- Identify changes or improvements to our Services considering GDPR, thoroughly test, and document (DONE)
- Revise our Data Processing Annex (DONE)
- Communicate revised services terms (IN PROGRESS)
- Complete a DPIA to determine which function is Controller or Processor specific (DONE)
6.1. Clarabridge will work with our customers (Controllers) and shall process personal data in a manner that is designed to ensure security and confidentiality, as well as in a fashion that provides fairness and transparency.
6.2. Clarabridge is committed to working with Controllers regarding data retention policies and processes for data retention, specifically ensuring we can aid the Controller with identifying and removing data when needed, including the personal data of any person requesting such removal once the Controller alerts Clarabridge of such requirements.
6.3. The customer as Controller is responsible for ensuring that there is a lawful basis for processing any personal data that is ingested by the Clarabridge services at the direction of customer, whether by obtaining its customer’s consent or by virtue of some other lawful basis.
FREQUENTLY ASKED QUESTIONS
- Where is data stored, processed or accessed? – Please refer to our EU Data Processing Annex, section 7.1.3.
- Will Clarabridge (Processor) use personal data for any purpose other than providing your Services? – No, Clarabridge only processes data as directed by the Controller and does not use personal data for any other purpose.
Clarabridge welcomes your comments regarding GDPR. Please contact Clarabridge at firstname.lastname@example.org, or write to us via postal mail at the following address:
11400 Commerce Park Dr.
Reston, VA 20191
Corporate Headquarters – USA