Sipexa and Sipexa Flow’s Journey Towards GDPR Compliance
We had sent out an email to all our customers two weeks before the regulation came into force, informing them about changes to the terms of service and privacy policy. We mentioned some of the changes we are internally working on pending to be completed before the 25th of May.
Today, we are happy to announce that SIPEXA AND SIPEXA FLOW are GDPR compliant.
1. Identifying Internal Data Collection mechanisms and mapping it to Personal Data being collected.
The first step we took towards GDPR was to identify and document all the channels and mechanisms we use to collect Personally Identifiable Data from EU Data Subjects. We mapped the type of personal data being collected to the channels for better identification.2. Purpose limitation, Data minimisation and Storage limitation
Once we mapped the Personal Data with the data collection channels, we made sure controls are in place so that the collected data is processed only for the purpose it was collected. We also removed any personal data that was not business critical and defined how long stored this data.3. Data Protection Impact Assessment
We carried out Data protection impact assessments (DPIA) to help identify, assess and mitigate or minimise privacy risks with data processing activities.4. Legal basis for Processing Data
SIPEXA AND SIPEXA FLOW use Consent, Legitimate Interest and Contracts as a legal basis to process depending on the personal data we collect. We identified the legal basis and mapped itto personal data we collect.5. Individual Rights
We created our own internal process on how we respond and resolve requests from data subjects regarding individual rights. These rights include right to information, right to rectification, right to access, right to erasure, right to restrict processing, right to data portability, right to object or right not to subject to automated decision making including profiling.6. Security
We conduct regular vulnerability tests and annual penetration testing as part of our audits. We make sure suitable security measures are in place to ensure the confidentiality, integrity, and availability of Information. We also use pseudonymisation through encryption and Hashing to make sure all personal data is protected. We are taking appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.7. Sub-processors
SIPEXA AND SIPEXA FLOW have signed agreements with Sub-processors instructing them how to process personal data and also ensuring they are GDPR compliant too.8. Privacy Policy and Data Processing Agreement
We updated our updated Privacy Policy which now describes how we collect, use, share and process EU data subject’s personal data and our customer’s personal data as both Controller and a Processor.We also created a Data Processing Agreement (DPA) , which regulates our responsibilities as a host, thus allowing our clients to have GDPR compliant sites themselves, if they need to. This document also describes how we communicate to the customers if there’s a breach and respond to requests from data subjects.
9. Website updation
We updated our website to display the cookie policy. We also now require our users to consent to our Terms of Service and Privacy policy before signing up.GDPR is not a one time effort. It’s a continuous process and we will be making sure we review our processes regularly to make sure we do not breach any obligations set forth by GDPR and also closely follow more updations to the regulation.
If your business processes the personal data of EU data subjects and you want to run that data through SIPEXA AND SIPEXA FLOW, we’ve got you covered.