IntakeQ and GDPR
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). GDPR comes into effect on May 25, 2018.
We at IntakeQ wholeheartedly support the privacy rights of our customers and users. Due to our HIPAA compliance efforts, we already have solid security and privacy practices in place, many of which go beyond the requirements of this new regulation.
Why is it Important?
GDPR adds some new requirements regarding how companies should protect individuals' personal data that they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach.
The Data Protection Principles include requirements such as:
- Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
- Personal data should only be collected to fulfill a specific purpose and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.
- Personal data should be held no longer than necessary to fulfill its purpose.
- People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.
Is IntakeQ a Data Processor or a Data Controller?
It depends on what data we are talking about. In regards to your own personal data (name, email, etc.), IntakeQ acts as a data controller. When it comes to your clients' data that is collected via IntakeQ, we act as a data processor and you, as the account owner, is the data controller.
Does GDPR require that my information be stored in the EU?
No. Under GDPR, a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism to make sure that personal data is adequately protected even when it is transferred outside of the EU.
Data collected via IntakeQ from non-US customer accounts are stored in Canada and is governed by PIPEDA (Personal Information Protection and Electronic Documents Act).
A transfer can be made to a non-EU country where the European Commission has decided that the destination country ensures an adequate level of protection, and Canada’s PIPEDA has been recognized as providing such an adequate level of protection. Currently, there are only 11 jurisdictions that have been granted this recognition (see reference). While this may change in the future, for the time being, EU personal data can be transferred to organizations in Canada that are subject to PIPEDA without meeting further requirements (e.g., without obtaining consent for the transfer).
In order to provide our services, some data may be processed by companies in the USA (e.g. SMS provider, e-fax provider). IntakeQ has made sure that these service providers are certified under the EU-U.S. Privacy Shield framework to satisfy the data transfer requirement.
What has IntakeQ done to prepare for GDPR?
IntakeQ has always made a rigorous effort to protect your data. Whether undergoing a self-imposed, third party HIPAA verification or achieving PIPEDA compliance, data security and trust is at the forefront of our business. The General Data Protection Regulation (GDPR) is another opportunity for us to showcase this to you.
Here are a just a few of the steps that we have taken to ensure GDPR compliance:
- We conducted a GDPR audit and gap assessment with our legal consultants and product team to make sure we were in compliance by May 25th.
- We are moving data from our non-US customers to Canada, where privacy regulations are more aligned with GDPR (according to the European Commission). And we started to work on a plan that will allow us to eventually store data from EU accounts inside the EU.
- Our product team has been working to implement necessary changes to support our users who need to comply with GDPR. This includes changing our data retention strategy and planned features to streamline consent and data requests.
- We have reviewed models of how data flows through the system, how it is used and when it is deleted.
- We executed the proper contracts with our sub-processors and third party vendors to make sure that they are in compliance with GDPR.
- While we already practice very strict incident response procedures due to HIPAA, we have reviewed them to ensure that they are in line with GDPR
How do I obtain a Data Processing Addendum?
We offer a Data Processing Addendum to our customers who operate in the EU. Our DPA offers contractual terms that meet GDPR requirements and reflect our data privacy and security commitments to our clients.
To execute a DPA between IntakeQ and your business, log in to your account, navigate to "More > Account > GDPR".
Can IntakeQ sign my custom DPA?
To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers' DPAs. As a small team we also can’t make individual changes to our DPA since we don't have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back and forth discussion that would be cost prohibitive for our team.