What is the EU’s General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a set of regulatory requirements created to give European Union (EU) citizens more authority and protection over their own personal data. Replacing the previous data protection laws across Europe, the GDPR applies to all EU Member States and it's strictly enforced and augmented by national legislation.
The GDPR applies to any company that provides any type of goods or service to EU citizens. Companies that are not based in the EU, but process the personal data of individuals residing in the EU need to comply with GDPR.
FormHero and the EU’s GDPR
At FormHero ("us", "we" or "our"), we're committed to helping our users understand their rights and obligations under the GDPR, effective as of May 25, 2018. Our smart forms, tools and processes ensure we follow GDPR's requirements and we want to help our clients and partners comply as well.
What Aspects of the GDPR will FormHero Commit to?
While FormHero is not legally obligated to follow these standards, our belief in privacy rights aligns us with the fundamental principles of the GDPR.
We support the GDPR because it only empowers individuals against the misuse of their personal data and identifiable information. We believe that any organization or corporation that processes anyone's personal information in the regular course of their business must facilitate these rights to protect personal information or face the appropriate consequences under the rules of non-compliance.
Our FormHero clients & partners have an obligation to provide an explanation about the purpose of the data they are collecting using FormHero at the time when they collect it. This may be provided within the content of each Smart Form, or through the application or web site you that is used to launch a FormHero Smart Form.
Understanding the 6 Principles of the GDPR:
Lawfulness, Fairness and Transparency
Transparency - The individual must be advised and informed about how their personal information and data will be processed.
Fairness - Consideration and understanding the impact on the use of a person's data. Processing of data must be as described when informing the user.
Lawfulness - No unlawful use of the user's personal data.
The collection of personal information can only be obtained for “specified, explicit and legitimate purposes” [article 5, clause 1(b)]. Organizations must clearly state the reason for why the personal data is being collected and can retain the data until their stated purpose is completed.
Data collection must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [article 5, clause 1(c)]. Only the minimum amount of data required to perform the stated purpose should be collected.
Stored personal data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. “Every reasonable step must be taken” to remove or update data that is considered to be incomplete or inaccurate.
Personal information and data can only be stored until it is no longer necessary. For data stored for a longer period of time, it must be proven that the data will “be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” [article 5, clause 1(b)].
Integrity and Confidentiality
Processing and storage of personal data must be performed in a secure manner, and protected during processing and storage. Security must include "appropriate technical and organisational measures" to ensure the requirements of the GDPR are met.
FormHero’s Commitment to GDPR
What we have done to comply with GDPR:
- Updated our Information Security policies, procedures and standards
- Reinforced our organizational commitment to Information Security
- Committed to enable security toll-gates at every interval of our development lifecycle
- Added GDPR to our Third-Party Service Provider risk assessment and management programs
- Reinforced our appetite to comply with legal and regulatory standards and exceed current industry standards, wherever possible
- Reinforced our commitment to meet and exceed industry standards & to obtain certifications
- Updated all relevant master services agreements
We are also monitoring the guidance around GDPR compliance from privacy-related regulatory bodies and have updated our product features and contractual commitments accordingly. We will provide clients and partners with regular updates so that they are always up to date on FormHero compliance.
Information privacy and protection regulations such as GDPR are each single pieces of a larger pie to help protect against data misuse and exploitation. GDPR isn't a magic bullet to resolve all data privacy issues, but rather helps us build upon the previous, current and existing laws, regulations and standards. We are pleased that it so well-aligned and consistent with our organization policies and ideology.