GDPR Overview

INFO: The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. The regulation will become effective on the 25th May 2018. You can find all information about GDPR at https://www.eugdpr.org/.

Over the last few months, we’ve been receiving questions about compliance with General Data Protection Regulation (GDPR). We have worked hard to ensure that we fulfill its obligations and maintain our transparency about personal data processing. As a result, we can now officially announce that RedRansom is compliant with the GDPR.

WARNING: RedRansom is fully committed to achieving compliance with the General Data Protection Regulation, which will go into effect May 25, 2018.

This post outlines what we have done to make sure that RedRansom meets GDPR obligations.

GDPR overview

The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Under GDPR, private information is defined as any information that is directly or indirectly identifiable to an individual. This includes information such as social security numbers, location data, online identifiers, pseudonymous data, and genetic or biometric data, such as fingerprints and facial recognition.

Specifically, GDPR grants EU citizens the following means of controls over their personal data:

Transparent information about data processing

Every company that hold and/or process data of any person in the EU is obligated to provide any information relating to processing this data subject

Right of access

Data controllers will be required to fulfill requests from individuals seeking access to their private data or information on how it is being used. Data collectors and processors will have to detail how the personal information was obtained, how and why it is being used, as well as with whom the company is sharing the information. Companies will also be mandated to provide the individual with a copy of their personal records.

Right to be Forgotten

Individuals can decide they no longer want their personal data to be processed and request all their information to be deleted.

Notice of security breaches

Individuals must be alerted within 72 hours if their personal data has been hacked or otherwise compromised.

Privacy by design

The idea has existed as a concept for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Data portability

Individuals will be permitted to move their personal data from one company to another upon request, without opposition from the data controller.

RedRansom and GDPR

Over the last few months, we’ve gotten questions asking about our General Data Protection Regulation (GDPR) compliance. In October 2017 we have made thoroughly research the areas of our product and our business impacted by GDPR. Here are all important points regarding RedRansom and GDPR

Transparent information about data processing

The Article 4 of GDPR defines data controllers and data processors as below:

Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor – a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

For example, if Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then, with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.

This distinction is important for compliance. The GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling the right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.

RedRansom as a Data Controller

In the meaning of Data Controller stated above, RedRansom stores the following private data:

  1. Client email address
  2. Client name
  3. Client phone number

Why we collect this

  • We need your Personal Information to stay in contact with you.

 

INFO: We do not store any Credit Card information.

TIP: The full list of vendors used by RedRansom is available at the end of this page.

We limit our use of your Personal Information to the purposes listed in our Privacy Statement. We do not share, sell, rent, or trade Personal Information with third parties.

RedRansom as a Data Processor

We don’t use any customer data for purposes other than for contact as we don’t currently provide a newsletter or marketing service.

Right of access and Right to be Forgotten

RedRansom doesn’t ask for more personal data from our users than we need to provide our services to you. We provide you the ability to access and delete the data you have given us (e.g. you can remove your profile information at any time).

We have gone through our Privacy Statement to provide more context and transparency, though, so our users understand exactly why we ask for information and what we’ll do with it.

INFO: If you want to get or erase all information that we have about you, please send a request to kinsley@redransom.co.uk.

Notice of security breaches

RedRansom takes all measures reasonably necessary to protect Personal Information from unauthorized access, alteration, or destruction, maintain data accuracy, and help ensure the appropriate use of Personal Information. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. We are committed to announcing any security breaches within 72 hours after we notice this kind of issue.

Privacy by design

Since the very beginning, the application’s architecture and server infrastructure have been designed and chosen specifically to ensure that all user data is safe.

Data portability

RedRansom, as a private Data Controller, has only access to data that provided during initial conversations with the user

Our Vendors

We also use the services that already confirmed they met GDPR conditions or are in the final stage of preparations:

  • SGIS– hosting infrastructure for our clients (Bristol – UK)
  • Braintree– payment processing (United States)