The General Data Protection Regulation (GDPR) is the European Union's new data protection legislation designed to protect the privacy rights of EU individuals. The GDPR aligns fragmented privacy legislation across EU member states and is the most significant regulation to address modern privacy concerns. The regulation replaces the current EU Data Protection Directive (Directive 95/46/EC).
The purpose of the regulation is to strengthen the privacy rights of individuals in regards to how their personal data is being collected, processed, and used.
OnceHub is ready for the changes and here to help our customers comply with the new regulations.
Who does it affect?
The GDPR applies to organizations that process the data of EU individuals (even if the business is not EU-based). GDPR regulated data can be stored outside the EU; however, data exports must meet additional requirements to ensure compliance. For example, there must be assurances that the country of transfer provides adequate protections for the data.
To protect personal data, the GDPR requires organizations to implement operational and technological controls. These controls cover:
1. How data is collected
2. The use of the collected data
3. Storage of the data
4. Individual’s rights to their data
The GDPR includes key principles for data protection:
Purpose limitation ensures that data is processed for the purpose that was originally intended. For example, at OnceHub, we only use the data we store to provide you with our services. We will never use your data for any other purpose.
Data minimization and retention ensures data is only collected and retained as necessary. For example, OnceHub allows you to configure the data you wish to collect and data is deleted from our databases when you stop using our service.
Data security is a key principle that ensures appropriate technical, administrative and physical safeguards are in place to protect your data from unauthorized access. OnceHub has a comprehensive security program that employs a multi-layered control system, designed to protect your data. For example, we continuously monitor our servers for suspicious activity and use advanced threat detection technologies to secure data.
Individual rights are enforced by the GDPR. An individual has the right to access, retrieve and modify their data. Individuals also have the “right to be forgotten” and for their data to be deleted. OnceHub provides the mechanisms necessary for data subjects and controllers to exercise these rights.
What is OnceHub doing?
The GDPR is a comprehensive regulation and OnceHub is committed to meeting the new requirements. OnceHub is working hard with VeraSafe, privacy experts to ensure we are compliant.
As part of our commitment, we made the Data Processing Addendum (DPA) available to our Customers. The DPA is a contractual obligation to satisfy GDPR requirements such as the breach notification and data security articles.
GDPR regulated businesses must appoint a data privacy officer (DPO) and an EU representative. OnceHub has nominated VeraSafe to represent OnceHub in the EU and we have designated an internal data privacy and security officer to oversee our compliance operations.
We have reviewed our breach notification processes and established controls to ensure data controllers are notified should a privacy incident occur. Notification will be within 72 hours of OnceHub becoming aware of the issue, in line with the GDPR definitions
The DPA will include a reference to the sub-processors used to provide our services. All sub-processors have been reviewed for GDPR compliance and OnceHub will offer data controllers the opportunity to object should a new sub-processor be introduced.
These are just some examples of the efforts we have invested in preparation for the GDPR. We are committed to compliance, and helping our users with their compliance needs.
To learn more about OnceHub's compliance with the GDPR, read our ebook: A practical guide to using OnceHub in a GDPR compliant manner.