TL;DR Jitbit's hosted help desk app is fully compliant.
GDPR is the new data protection law in the EU that strengthens the protection of personal data. The law regulates "processing" of personal data, which includes storage, collection and transfer of personally identifiable information. Any company that sells a software app or a digital service on the EU market (not just an EU company) has to comply with it starting May 2018.
The key changes are:
The key changes are listed on the official website and we highly recommend visiting it. Unlike most "official" websites, this one is actually very neat and user-friendly.
No. The GDPR does not require EU personal data to be physically stored in the EU, nor does it place any new restrictions on data transfer other than the ones that already existed.
Jitbit welcomes the GDPR and is fully compliant. GDPR is an important step towards protecting private data. Both our founders have been very vocal about the terrifying dangers we all face in light of rapid technological developments, such as AI, face-recognition, the rise social networks etc.
Note from Alex, our founder: "I'm personally very happy about the GDPR and don't get all the whining. First thing I'm going to do in May 2018 is request a copy of my personal data from Google just for kicks. I'm really interested of what's going to happen next. I'd also like to request Google to remove any personal data from my Google Photos family archive, like our names, social graph, locations, people present on the photos etc. Will blog about the results."
Now back to GDPR and our SaaS help desk software:
1. First of all, Jitbit's cloud-hosted helpdesk app collects no personal data other than full name and email of helpdesk app users (both end-users and administrators or helpdesk-agents). We do not even store our paying customers' addresses, VAT numbers, company names, locations or credit card numbers when they make a purchase - this data simply does not exist on our servers, it stays at the payment gateway, and we have no access to it. We do not use the data for any marketing research or "machine learning".
2. Jitbit already has the "right to be forgotten" procedure in place, implemented and operational. We physically delete the clients' data once they cancel their account and/or the account expires. In addition, we don't use any personal data for marketing, profiling or similar purposes. The "data portability" part works too - any Jitbit customer can request an actual copy of their account data, this has been working for years.
3. Jitbit is already HIPAA-compliant (HIPAA is an American thing that protects medical patients' private healthcare information, which is even more strict than GDPR). Which means we already have all the policies and procedures in place: we do have a Data Protection Officer, we do encrypt all the data both when storing AND transferring it, we do have a breach notification procedure, we also perform regular in-house training for all our employees.
4. Jitbit has less than 250 employees (way less, in fact), which means we don't have to keep records of data processing activities.
5. Jitbit is a "data processor". Our clients - the companies that use our hosted helpdesk solution - might add one or more "custom fields" to their helpdesk tickets, that can store personal data. For example "taxpayer ID" or "address" or something similar. In this case the client does have to perform some extra steps to comply with the GDPR, like: provide Jitbit with an SSL certificate if they use a custom domain and inform their customers about collecting this data and the purposes ("consent"). While Jitbit will take care of the safety of the data and implementing the "right to be forgotten" and "data portability".
6. Jitbit takes all reasonable steps to ensure the reliability of any personnel who have access to personal data. Jitbit has in place all reasonable technical and organisational measures to keep all personal data confidential and secure and to protect personal data against accidental loss or unlawful destruction, alteration, disclosure or access.
7. Jitbit does not allow any subcontractors to access our client's (or our client's clients) data without permission.
8. Helpdesk is hosted in Amazon's "private cloud" (as in "not visible from the Internet"), only 3 people have access to the database. And we have a DPA signed with Amazon.
More technican details can be found in our KB.
We also have our own Data Processing Agreement template which we will provide and sign upon request. Contact our support to get started.
Last updated: 5/23/2018 more Helpdesk Ticketing System whitepapers