Akita will be meet or exceed the requirements specified in the EU’s General Data Protection Regulation (“GDPR”) by the May 25th deadline. This document outlines some of the steps we have taken to make certain that we comply with the new laws.
3rd-Party Sub Processors
We use services provided by 3rd-party vendors to help provide the Akita service and effectively run the Akita business. By the May 25th deadline, we will have entered into GDPR-compliant Data Processing Agreements with each of our vendors. You can find a list of these vendors here
Security Breach Response
In the event of a data breach, we will notify our customers in a timely manner as required by GDPR and outlined in our Data Processing Agreement.
Consent
We have updated our Privacy Policy and Cookie Policy to clearly identify what visitor and customer information we collect, how we collect it, and why we collect it. In addition we provide information about how you can disable these cookies.
Data Inventory
We have reviewed and identified where we are collecting and processing customer data on the Akita website and in the Akita service. For each instance we have identified our legal basis for collecting and processing this data. We have made certain that we have implemented network, software, and procedural safeguards to ensure the security of this data. Our Privacy Policy identifies what we are doing with the data we collect and how we manage consent.
Data Processing Agreement
We have incorporated a GDPR-compliant Data Processing Agreement into our overall Terms and Conditions. To continue using Akita, you must accept both the DPA and Terms and Conditions. Unfortunately we cannot sign Customer-provided DPAs as doing so would require prohibitively expensive outside legal assistance for each contract.
Data Protection Officer
Akita has appointed David Smith as its Data Protection Officer. He is registered with the Irish Data Protection Commission and is responsible for overseeing customer data security, privacy and GDPR compliance at Akita.
Data Protection Impact Assessments
For each new feature we implement we will determine if the new feature poses a risk to user privacy and the security of personal data. If the level of risk requires it, we will conduct a Data Protection Impact Assessment that describes the flow of sensitive data throught the application, identifies areas of risk, and outlines solutions to mitigate that risk. This DPIA will be signed off by Akita management and implemented as part of the project plan.
Easy to Understand Terms and Conditions and Privacy Policies
We will strive to provide Terms and Conditions and a Privacy Policy that transparently describes the personal data we collect and process and why, how we use it, who we share it with and how long we store it.
Right to Data Access, Portability and Deletion
Akita processes and stores all personal data in GDPR compliant manner using only GDPR-compliant Sub Processors. We store your data for 2 years unless your account is cancelled. In the event your account is cancelled we will delete your data in accordance with our Terms and Conditions.
GDPR requires you provide your users with the ability to access, update, retrieve and remove personal data. Upon request Akita will work with your team to delete or export any data you require. If you have integrated with a 3rd-party application, Akita may re-import that data. You may need to delete or update data in the connected application prior to deleting it from Akita.
Training
Akita has had regular, internal discussions concerning data privacy and GDPR compliance. Our product, sales, and marketing teams have researched and will continue to study ways to make sure Customer data is only used in compliance with GDPR.
Implementation Checklist
Rules | Specific Articles | Status | Comments |
---|---|---|---|
Data Protection Officer (DPO) | Articles 37-39 | Complete | Registered with Office of the Data Protection Commissioner. Nominated David Smith as Data Protection Officer. Paid Applicable Fees. |
Training across all personnel (development and roll out) | Articles 7-8 & 12-15 | Complete | Completed training for all impacted personnel. |
Data breach procedures | Articles 33 & 34 | Complete | Data breach response incorporated into DPA. |
Data processing records | Article 30 | Complete | Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically. |
Audit and Analysis of privacy framework | Articles 28-30 | Complete | Audit all existing client & third-party contracts to ensure compliance with GDPR. Make necessary amendments. Review & update insurance coverages. Implement processes. Review & control. |
Ensure appropriate technical & organizational measures | Articles 44-50 | Complete | Guarantees by processor to implement appropriate technical & organizational measures to ensure the protection of the rights of the data subjects. Update data protection agreements and appendices. |
Data transfers and export controls | Articles 7-8 & 12-15 | Complete | Identify cross-border data flows and review mechanisms in place. Ensure adequate level of protection with contractual clauses. |
Reevaluate notice, consent and withdrawal mechanisms | Article 20 | Complete | Evaluation of existing consent & procedures in place, and ease of withdrawal. Update internal processes & Privacy Policy to increase transparency. |
Data portability | Article 25 | Ongoing | Provide exports of user data upon request within time specified. |
Data protection by design and by default | Article 32 | Ongoing | Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. Implement data protection principles, such as data minimisation. |
Security of processing | Article 35 | Ongoing | Technical & organizational measures to ensure a level of security appropriate to the risks at stake. |
Carry out data protection impact assessment | Article 35 | Ongoing | Created template for future DPIAs. |
Last Updated: 13th May 2018