At Names & Faces data security and privacy of personal information are of great importance. Given the nature of our business, establishing a deep foundation of trust with our clients is key to our success.
We worked with independent auditors and legal teams at Deloitte Cyber Security & Lewis Silkin to prepare for GDPR (the new European data protection law that came into effect on 25 May 2018) to ensure that we understood our GDPR obligations.
GDPR applies to all companies processing data of European Union citizens, regardless of whether a company is based within the European Union or not. Here's how the GDPR requirements apply to the Names & Faces service and to our role as a data processor.
[Note: This post was first published in April 2018 on Medium.]
Generally speaking data privacy laws across the globe provide for the idea of privacy as a fundamental right. This includes that organisations should keep track of what data they own, who controls it, how it is being processed and how it is secured.. The GDPR has been introduced, considering technological changes such as social media interaction, cloud storage, and other technological developments of modern times, that did not exist when privacy laws were initially drafted and implemented. The GDPR ensures a consistent application of data privacy legislation across the European Union and it places stringent requirements on companies to keep track of what personal data they have on hand, who controls it, how it is being processed and how it is secured.
Being a young company with new systems, we have an advantage over older companies when it comes to GDPR compliance. Many older and bigger companies have complex IT setups with data stored in numerous scattered and unconnected systems — many of which they’re not even aware of. We‘ve known about the introduction of GDPR since our inception, so we’ve built our systems from the ground up to ensure: we always know where the personal data is that we hold; we know how long we’ve held it for; we have the necessary permissions to process it; and we’re able to edit it, export it or delete it if given instruction to do so by the person or organisation to whom it belongs.
When providing the Names and Faces service, we act as a data processor for you — our client — who is the data controller. We use personal data received from you as authorized by you and in terms of our agreement with you. Below we’ve highlighted the main aspects of the regulation that apply to the Names & Faces service followed by a short explanation of how we comply.
The processing of personal data should be “adequate, relevant and limited to what is necessary for the purposes for which they are processed”.
At Names & Faces, we only ever process data received from you on your instruction and will not process data received from you for use in any contexts other than those agreed to in our Client Terms of Service.
Users agree that we track their activity for statistical and analytical purposes. This tracking helps us improve our service, report back to our clients on how their users are making use of the Names and Faces service and helps us to monitor whether users are abiding by our Acceptable Use Policy.
The Names & Faces service is simply a reflection of the data you, as our client, provide to us. We store backups of your current data for a maximum of 60 days after which point these backups are permanently deleted from our systems.
The accuracy of the data displayed in Names & Faces is a reflection of the data you, as our client, provide to us for processing. Our service allows data to be updated or corrected.
We adopt several world class security measures to protect the data in our systems from unauthorized access, illegal processing and loss. All services in our ecosystem make use of two-factor authentication. We’ve implemented Data Loss Prevention (DLP) on our email clients and cloud storage systems which monitors, protects and alerts us to the unauthorized accessing of sensitive data. All client data is stored on Amazon Web Services (AWS) in a database managed by AWS. All client data stored in our databases is encrypted whenever in transit between the server and any Names & Faces Service.
When a user leaves an organisation that subscribes to the Names & Faces service, the system revokes their access and all data is remotely wiped from their device, preventing unauthorized access.
We have appointed a data protection officer. Together with our CEO he is also heading up an internal project to for Names & Faces to be SOC 2 compliant. We aim to achieve this certification by the end of 2019.
For Clients: you may request an export of your data from us, you may correct your data through our administration system or have your data deleted from our systems by submitting a request to us which we’ll fulfill within 48 hours.
For Users: Since users are granted access by virtue of our agreement with our client, users can request an export of their data, the correction of their data or the deletion of their data from their master administrator, who can then carry out that request or communicate it to Names & Faces which we will fulfill within 48 hours.
How do I find out about Names & Faces data practices?
What information will be included in an export of my data?
Data exports will include all data originally provided to us by our client along with associated and identifiable usage data. This will be shared as a CSV along with a folder of all related photographs.
What information will be deleted upon my request for deletion of user information?
We will delete all data and photographs originally provided to us by our client including associated and identifiable usage data.
How do I request export or deletion of my data?
Please email us at firstname.lastname@example.org to request an export or deletion of your data.
Does an organization require its employees to give their consent to be featured in Names & Faces?
Employers may require their employees to give consent, depending on the type of personal data. Often an organisation does not need to obtain each employee’s consent to include them in Names & Faces, because Article 6. 1 b) of the GDPR says that “…if processing is necessary for the performance of a contract to which the data subject is party, the processing is lawful.” In this case, since your employees are contractually employed by the organisation and the organisation has chosen Names & Faces as a necessary service within the organisation, processing employee data for purposes of the Names & Faces service is lawful.
If you have any questions relating to GDPR, please feel free to contact us.
Please note this article has been prepared for general information purposes only; it is intended to help you to learn more about Names & Faces’s position on GDPR. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.