Here's an updated GDPR checklist for all project managers and team leaders, created by our expert on all things legal, Michal. Learn how PrivMX can help your remote team stay GDPR compliant!
General Data Protection Regulation has been with us for a few years now. It was adopted by the European Union and it applies to organizations all over the world if they collect or process data related to people in the EU. Consequently, if you process personal data of EU citizens (e.g. store or transfer them), you should also be compliant with the GDPR. One of the main requirements imposed by this regulation is to ensure an appropriate level of safety for personal data.
Now, PrivMX helps you with that on many levels. The software contains a number of functions and security measures that enable proper processing of personal data.
They concern in particular:
In PrivMX, all data, including sensitive and personal data, are stored on a private Team Server and subject to end-to-end encryption. It means that if you share a file or send a message within your PrivMX workspace, it is encrypted on your device and only you, or other Users of your Team Server, may decrypt it.
Nobody else, not even our team or the employees of your selected data server - the entity providing you with PrivMX services and storage space - is able to decrypt and read your data, stored on your Team Server. This may be really helpful when it comes to choosing appropriate security measures to protect extremely sensitive data, according to the GDPR provisions. GDPR law states that encryption is one of the measures recommended to ensure that personal data are protected according to all necessary standards.
According to the GDPR, you should ensure that all persons (e.g. your employees) that process personal data under your authority, do it only to the extent which they really need to. Therefore, access to personal data must be limited and all unauthorized people should not be able to read or use these data.
As a consequence, we offer you an ability to limit users' access to data stored within a Team Server only to the people you deliberately choose. You make the decision who within your team gets access to certain information - if it’s a part of your team or just a selected member. What’s more, it is fairly easy to manage access rights to certain Sections, such as chat, files, projects or calendars.
As you may know, a lot of service providers may store personal data outside of the EU. According to GDPR rules, these entities have to ensure that additional measures are undertaken in order to protect personal data in such a third country. That may require signing an additional, special agreement or verifying if you really may use such a provider.
Additional difficulties may occur if you wish to use services of a US-based provider. In 2020, the Court of Justice of the European Union rendered the Privacy Shield programme invalid. It was a special agreement between the EU and the USA, allowing to transfer personal data to US-based entities which joined this programme. As for now, we do not have any kind of a new agreement, replacing the Privacy Shield and providing a secure framework for transfers of personal data to the US. What is more, the Court of Justice basically indicated that US law does not enable the protection of personal data of EU citizens in an appropriate way. Therefore, all transfers of such data to e.g. cloud providers from the US are in fact currently not compliant with the provisions of the GDPR.
However, it is not the case when it comes to PrivMX services. We are a company registered within the EU, in Amsterdam, the Kingdom of the Netherlands. Our data centres are located in various countries of the EU, and you are the one who gets to choose the specific location of your data centre. Therefore, we can guarantee that your data will not leave the European Union.
GDPR states that you should prevent any unauthorized access to personal data, e.g. by people that are not acting on your behalf. One of the important aspects of data confidentiality is making sure that nobody will use your (or one of the authorized users) login and password in order to access your data. As a consequence, we offer you an ability to use two-factor authentication, using your telephone number or e-mail address.
PrivMX enables you to verify who created, deleted, modified or submitted a specific file or edited particular piece of data in a file. It is important because the GDPR states that every data controller should be able to use appropriate safety measures concerning the processing of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Therefore, any tool that helps you with checking who created, modified or deleted a file, what may be required, according to requirements specified in the GDPR.
From my experience as privacy and data security lawyer, it’s best to consider introducing GDPR compliance from the bottom up - not by rapidly shaping all your company’s policies to fit the rules, but by choosing the right teamwork tools. PrivMX introduces a structure that makes data privacy a seamless part of your daily work routine.
With data breaches on the rise, it’s best to take a holistic approach and keep all your assets - communication, information and documents - in a reliable workspace.