What is GDPR?

The General Data Protection Regulation (GDPR), is a European privacy law that went into effect on May 25th 2018. It is based upon the European understanding that privacy is a fundamental human right. Established by the EU Parliament, the GDPR regulates how individuals and organizations can obtain, use, store, and remove personal data. It gives EU citizens and residents control over their personal data, and simplifies the regulatory environment for international business that takes place in the EU.

What is personal data?

The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, photograph, email address, or even an IP address.

What are the requirements of the GDPR?

The Data Protection Principles include the following requirements:

  • Personal data must be processed in a fair, legal, and transparent way. It should only be used in a way that a person would reasonably expect.
  • Personal data should only be collected to fulfill a specific purpose, and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.
  • Personal data should be held no longer than necessary to fulfill its purpose.
  • People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and request that their data be updated, deleted, restricted, or transported to another organization.

Why is it important?

GDPR adds new requirements regarding how companies should protect the personal data they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. Beyond these facts, it’s simply the right thing to do. At Gem, we respect your data privacy and we have solid security and privacy practices in place that go beyond the requirements of this new regulation.

Gem’s commitment to GDPR Compliance and data privacy

Here is an overview how Gem has prepared to meet the new regulation requirements.

Data Processing Addendum

We offer a data processing addendum (DPA) for our customers who collect data from people in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers.

To guarantee no terms are imposed on us beyond what is reflected in our DPA and Terms of Service, we cannot agree to sign individual customers’ DPAs. We are a small team and are unable to make individual changes to our DPA. Any changes to the standard DPA would require legal counsel and considerable back and forth discussion, which would be cost-prohibitive for our small team.

If you have any questions or concerns, please let us know.

Data inventory

We reviewed and identified all the areas of Gem where we collect and process customer data. We validated our legal basis for collecting and processing personal data, and we ensured that we apply the appropriate security and privacy safeguards across our infrastructure and software ecosystem. Our Privacy Policy identifies what we do with the data we collect and how we manage consent.

Individual Data Subject’s Rights – Data Access, Portability and Deletion

We are committed to helping our customers meet the data subject rights requirements of GDPR. Gem processes or stores all personal data with fully vetted vendors with whom we have a DPA in place. We store personal data for up to 3 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy.

Risk Assessment (data protection impact assessments)

One of the GDPR requirements is a managed data protection impact assessment (DPIA) process. A DPA process is a way to help us identify and minimize the data protection risks of a project. The Gem engineering team has always undergone security and privacy due diligence when choosing tools and making implementation decisions, so this requirement is easy for us. Any time we introduce a change to the way we handle personal data, we discuss the potential impact on Gem customers and explore possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution to mitigate the data privacy and security risk to anyone who interacts with the Gem platform. We will continue to execute this risk assessment process as we expand Gem’s offerings.

Did this answer your question?