Last revised on April 24, 2018, effective as of May 25, 2018
The General Data Protection Regulation (GDPR), is a European privacy law approved by the European Commission in 2016 and will go into effect May 25th 2018. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC which has been the basis of European data protection law since 1995. The GDPR is an attempt to strengthen, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it's giving EU citizens and residents control over their personal data while simplifying the regulatory environment for international business that takes place in the EU.
The Data Protection Principles include requirements such as:
GDPR adds some new requirements regarding how companies should protect individuals' personal data that they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. Beyond these facts it's simply the right thing to do. At Help Scout we strongly believe that your data privacy is very important and we already have solid security and privacy practices in place that go beyond the requirements of this new regulation.
With the May 25th deadline fast approaching, our compliance, privacy and information security teams are almost done checking off our GDPR to-do list. Below is an overview of what we have done or are in the process of doing to meet the new regulation requirements.
We offer a data processing addendum (DPA) for our customers who collect data from folks in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers. Our DPA will be finalized and effective on May 25th when we incorporate it into our Terms of Service. There will be no action needed on the part of our current Help Scout customers.
To guarantee no terms are imposed on us beyond what is reflected in our DPA and Terms of Service, we cannot agree to sign customers’ DPAs. As a small team we are unable to make individual changes to our DPA as we do not have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back and forth discussion that would be cost-prohibitive for our team.
If you have any questions or concerns please let us know.
We've formed a core privacy team of leaders from each area of the Help Scout business, headed by our internal Data Protection Officer (DPO). The representatives in this group are the project managers who will ensure all the requirements of GDPR are covered from Marketing to Engineering to People Ops. The team meets once a month to discuss current progress towards GDPR readiness and will continue to do so following the May 25th deadline. This team is also responsible for developing the Help Scout GDPR awareness training program and validating that everyone at Help Scout understands and kept up to date on the current regulation.
We are in the process of reviewing our list of 3rd party vendors and performing a deep review of their GDPR compliance. We already have DPAs in place with most of our vendors who offer a signed version, while others are taking the same approach as us and having the DPA be automatically accepted as part of the Terms of Service on May 25th.
We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data. We got you! We've been set up as self service from the start and have always given you access to your data and your customers data. You can search for and delete any end users conversation through our help desk UI. If you need to export your end users data in a computer readible format you are able to do so through our Mailbox API. We’ve recently launched Mailbox API Version 2.0 and expect to have it marked for general availability in May, 2018. Our customer support team is here for you to answer any questions you might have about working with the new API.
Having a managed data protection impact assessment (DPIA) process is a requirement for GPDR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The Help Scout engineering team has always undergone security and privacy due dilligence when making tooling and implementation decisions, so this requirement is an easy one for us. Any time we introduce a change to the way we handle personal data, we spend time discussing the potential impact on customers of Help Scout and possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate the data privacy and security risk to anyone who interacts with the Help Scout platform. We will continue to execute this risk assessment process as we expand the Help Scout offerings.
We already have a breach management and communication plan in place to support the requirements of HIPAA have updated this existing process to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don't hesitate to reach out.