GDPR Compliant Help Desk Software
TL;DR Jitbit's hosted help desk app is fully compliant.
What is GDPR?
GDPR is the new data protection law in the EU that strengthens the protection of personal data. The law regulates "processing" of personal data, which includes storage, collection and transfer of personally identifiable information. Any company that sells a software app or a digital service on the EU market (not just an EU company) has to comply with it starting May 2018.
Key requirements for SaaS providers
The key changes are:
- The right to be forgotten AKA "right to erasure" - EU individuals have the right to request erasure of their personal data or request a copy of their personal data
- Data protection by design - practical measures to prevent loss, destruction of damage of data.
- Data processing consent - companies have to include the following info in their terms of service and customer agreements: the duration, purpose and nature of data processing, the types of data being processed
- Data breach notification - the company has to report data breaches to data protection authorities and to affected data subjects
- Data protection officer- company has to appoint a DPO whos job is to ensure privacy and protection of personal data
- New requirements for profiling and monitoring - this mostly affects marketing companies and AD-platforms that keep track of user demographics and similar data, that allows showing more relevant ads to users.
Does GDPR require EU data to be stored in the EU?
No. The GDPR does not require EU personal data to be physically stored in the EU, nor does it place any new restrictions on data transfer other than the ones that already existed.
What Jitbit is doing about GDPR
Jitbit welcomes the GDPR and is fully compliant. GDPR is an important step towards protecting private data. Both our founders have been very vocal about the terrifying dangers we all face in light of rapid technological developments, such as AI, face-recognition, the rise social networks etc.
Note from Alex, our founder: "I'm personally very happy about the GDPR and don't get all the whining. First thing I'm going to do in May 2018 is request a copy of my personal data from Google just for kicks. I'm really interested of what's going to happen next. I'd also like to request Google to remove any personal data from my Google Photos family archive, like our names, social graph, locations, people present on the photos etc. Will blog about the results."
Now back to GDPR and our SaaS help desk software:
1. First of all, we are based in the EU, so we're in the same boat. Our new legal entity is "Jitbit Baltic SIA" based in Latvia so "Brexit" does not affect us in any way.
2. Jitbit's cloud-hosted helpdesk app collects no personal data other than full name and email of helpdesk app users (both end-users and administrators or helpdesk-agents). We do not even store our paying customers' addresses, VAT numbers, company names, locations or credit card numbers when they make a purchase - this data simply does not exist on our servers, it stays at the payment gateway, and we have no access to it. We do not use the data for any marketing research or "machine learning". But our clients can choose to store personal data in their tickets (more on that in #6) - this data is protected by GDPR.
3. Jitbit already has the "right to be forgotten" procedure in place, implemented and operational. We physically delete the clients' data once they cancel their account and/or the account expires. In addition, we don't use any personal data for marketing, profiling or similar purposes. The "data portability" part works too - any Jitbit customer can request an actual copy of their account data, this has been working for years.
4. Jitbit is already HIPAA-compliant (HIPAA is an American thing that protects medical patients' private healthcare information, which is even more strict than GDPR). Which means we already have all the policies and procedures in place: we do have a Data Protection Officer, we do encrypt all the data both when storing AND transferring it, we do have a breach notification procedure, we also perform regular in-house training for all our employees.
5. Jitbit has less than 250 employees (way less, in fact), which means we don't have to keep records of data processing activities.
6. Jitbit is a "data processor". Our clients - the companies that use our hosted helpdesk solution - might add one or more "custom fields" to their helpdesk tickets, that can store personal data. For example "taxpayer ID" or "address" or something similar. In this case the client does have to perform some extra steps to comply with the GDPR, for example, inform their customers about collecting this data and the purposes ("consent"). While Jitbit will take care of the safety of the data and implementing the "right to be forgotten" and "data portability".
7. Jitbit takes all reasonable steps to ensure the reliability of any personnel who have access to personal data. Jitbit has in place all reasonable technical and organisational measures to keep all personal data confidential and secure and to protect personal data against accidental loss or unlawful destruction, alteration, disclosure or access.
8. Jitbit does not allow any subcontractors to access our client's (or our client's clients) data without permission.
9. Helpdesk is hosted in Amazon's "private cloud" (as in "not visible from the Internet"), only 2 people have access to the database. And we have a DPA (Data Processing Agreement) signed with Amazon.
More technican details can be found in our KB.
Adding a consent checkbox to "new ticket" forms
Please refer to this blog post for instructions on how to add a "I agree with privacy policy" checkbox to the ticket-creation form and learn more about the data-export options.
Data processing agreement
We also have our own Data Processing Agreement template which we will provide and sign upon request. Contact our support to get started.