Envoy + GDPR
The EU General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. And like many companies, we’ve been working diligently to understand both what we need to do to stay compliant and how we can help you comply with this regulation when using Envoy.
To do this, we examined the guidelines from GDPR and asked ourselves a few key questions—some of which your company may have been asking too, as we all get ready for this new regulation:
- What are the requirements of our EU customers?
- Are there internal policies we need to adjust?
- Do we need to make changes to our products?
Customers are always first!
At Envoy, we always aim to create great experiences for our customers. This means making sure everybody can confidently use Envoy, regardless of where you do business or who you do business with.
To provide a better experience around GDPR, the first thing we needed to understand were the different roles. These roles are based on how a company interacts with user data, and are defined as either data controllers or data processors. Because you’re collecting personal data for your company’s use, you are considered a data controller.
Envoy is considered a data processor because we process personal data on behalf of you, our customer. As we work toward our compliance as a data processor, we’re also here to help you with your compliance needs.
Envoy + GDPR
While it’s up to each company to define their own internal practices to be compliant with GDPR, Envoy will help data controllers in two key areas:
Right to erasure: Envoy customers can request that their data stored by Envoy is erased at any time. You can send an email to [email protected] and the team will assist to make sure the person’s data is anonymized in our systems. We maintain a record that a visit occurred, so that visit metrics remain accurate, but we remove all personal data about the visitor.
Consent to data capture: When visitors sign in, they’ll confirm that they consent to their information being collected. If they do not consent they will not sign in via Envoy. Instead, Envoy will alert a designated person at your company that a visitor is present and that they do not wish to have their data collected.
Disclosures: We will also make changes to our terms of service to outline how we handle customer data and ensure that it’s easy for you to inform visitors where their data is stored.
These updates will be available to enable in Envoy Visitors by early May, before GDPR goes into effect on May 25. We’ll let you know when these features are ready and how to best use them to meet your company’s needs.
Clearing up confusion about GDPR
As the industry grapples with GDPR changes, we’ve received lots of questions from our customers. We wanted to share some of the most common inquiries we’ve heard:
Q: Does GDPR mean my customer data must be stored in the EU?
A: GDPR does not mandate where data should be stored. Article 46 of GDPR allows personal data to be transferred outside the EU if the data controller has provided appropriate safeguards. Envoy is self-certifying under the U.S./EU Privacy Shield program as part of our compliance efforts under GDPR.
Q: Do I have to purge the data if a visitor requests it?
A: Because Envoy is considered the data processor and our customer is considered the data controller under GDPR, the ultimate decision of how to respond to a request for erasure falls on the data controller (aka the customer). There is a general Right for Erasure under Article 17 of the GDPR but Customers (as controllers) should engage with their legal counsel to determine their specific responsibilities and liabilities under GDPR. Envoy cannot provide legal guidance to customers on this topic.
Q: How long will it take Envoy to purge/anonymize visitor data once I make the request to [email protected]?
A: Per GDPR requirements, once Envoy has received a request from a data controller to anonymize visitor information, Envoy will respond without undue delay. Under special circumstances, Envoy may request an extension to process the request but the data controller will be notified in writing. (Details: Article 12)
Q: If we mistakenly purge/anonymize visitor data, can it be recovered?
A: When data is anonymized by Envoy, the data is no longer accessible within the production application. Back-ups are stored for up to 90 days with non-anonymized data. After 90 days, the data is irretrievable.
Q: My IT/security team is requesting more detail or documentation showing Envoy’s compliance with GDPR. How can I request this?
A: The answers to most security questions can be found here. If you are currently an Envoy customer and require additional documentation, then please reach out to your assigned account executive or customer success manager. You can also email [email protected] to contact Envoy’s security team.
Please note that answering security questionnaires or reviewing customer documentation takes some time, depending on several factors. Customers may also be required to sign a mutual NDA before sharing sensitive internal documents or company policies.
Q: What about other products that I can integrate Envoy with?
A: Customers should consider the use of Envoy integrations (such as Box, Dropbox, Eventbrite, and Envoy webhooks) when examining their own GDPR compliance. If you configure an integration for Envoy Visitors, consider how your company will use that integration. If, for example, you decide to enable a webhook to trigger an internal system, or export all of your visitor logs to Box occasionally, take care to consider these other systems when responding to erasure requests, disclosures, and other GDPR-related compliance.
Note: We suggest you consult your own legal counsel if you have further questions about GDPR requirements for your organization.
If you have specific questions about your compliance needs around visitor management, we’re happy to help. Feel free to email [email protected] at any time.