GDPR is the new data protection law in the EU that strengthens the protection of personal data. The law regulates "processing" of personal data, which includes storage, collection and transfer of personally identifiable information. Any company that sells a software app or a digital service on the EU market (not just an EU company) has to comply with it starting May 2018.
The key changes are:
The key changes are listed on the official website and we highly recommend visiting it. Unlike most "official" websites, this one is actually very neat and user-friendly.
No. The GDPR does not require EU personal data to be physically stored in the EU, nor does it place any new restrictions on data transfer other than the ones that already existed.
Jitbit welcomes the GDPR. It is an important step towards protecting private data. Both our founders have been very vocal about the terrifying dangers we all face in light of rapid technological developments, such as AI, face-recognition, the rise social networks etc.
Note from Alex, our founder: "I'm personally very happy about the GDPR and the first thing I'm going to do in May 2018 is request a copy of my personal data from Facebook just for kicks. I'm really interested of what's going to happen next. I'd also like to request Google to remove any personal data from my Google Photos family archive, like our names, social graph, locations, people present on the photos etc. Will blog about the results."
Now back to GDPR and our SaaS help desk software:
1. First of all, Jitbit's cloud-hosted helpdesk app collects no personal data other than full name and email of helpdesk app users (both end-users and administrators or helpdesk-agents). We do not even store our customers' addresses, VAT numbers, company names, locations or credit card numbers when they make a purchase - this data simply does not exist on our servers, it stays at the payment gateway, and we have no access to it.
2. Jitbit already has the "right to be forgotten" procedure in place, implemented and operational. We physically delete the clients' data once they cancel their account and/or the account expires. In addition, we don't use any personal data for marketing, profiling or similar purposes. The "data portability" part works too - any Jitbit customer can request an actual copy of their account data, this has been working for years.
3. Jitbit is already HIPAA-compliant (HIPAA is an American thing that protects medical patients' private healthcare information, which is even more strict than GDPR). Which means we already have all the policies and procedures in place: we do have a Data Protection Officer, we do encrypt all the data both when storing AND transferring it, we do have a breach notification procedure, we also perform regular in-house training for all our employees.
4. Jitbit has less than 250 employees (way less, in fact), which means we don't have to keep records of data processing activities.
5. Our clients - the companies that use our hosted helpdesk solution - might add one or more "custom fields" to their helpdesk tickets, that can store personal data. For example "taxpayer ID" or "address" or something similar. In this case the client does have to perform some extra steps to comply with the GDPR, like: provide Jitbit with an SSL certificate if they use a custom domain and inform their customers about collecting this data and the purposes ("consent"). While Jitbit will take care of the safety of the data and implementing the "right to be forgotten" and "data portability".
We also have our own Data Processing Agreement which we will provide and sign by request. Contact our support to get started.
Last updated: 3/5/2018 more Helpdesk Ticketing System whitepapers