Smartly's GDPR Commitment
Protecting Your Data
The GDPR is the most comprehensive EU data privacy law in decades, and is coming into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods and plans to achieve GDPR-compliance.
Preparing for the GDPR
The GDPR's updated requirements are significant and our team is working diligently ensure Smartly is in compliance. Measures to achieve this include:
- Continuing to invest in security infrastructure
- Ensuring we can support international data transfers by maintaining Privacy Shield self-certifications
- Changing our policies and product offerings to include tools for data management
We will also continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies and adjust our plan accordingly.
Smartly is Privacy Shield certified. Privacy Shield is a voluntary program for US organizations to show that they have adequate data protections in place to meet EU requirements regarding the transfer of personal data outside of the EU. Smartly will work hard to maintain its Privacy Shield commitments and looks forward to the success of the program.
Commitments as a Data Controller
Data controllers are companies that supply goods or services to EU residents, or that track or monitor EU residents and decide why and how data is collected and processed. Data processors are vendors or businesses that process data on behalf of data controllers. As a Data Controller, we are committed to both ensuring our practices are sound within the scope of the GDPR, as well as ensuring we only work with compliant data processors.
In support of this, the following are initiatives we have undertaken:
- Information Audit: As part of the GDPR, we have completed a thorough audit of all data collection, data flows, and data processing within Smartly and between us and our cloud vendors.
- Information Asset Register: From our information audit, we have created an information asset register. This allows to ensure we are properly tracking, securing, and when applicable, removing user information across our internal systems.
- Vendor Compliance: We are following up with all of our vendors to ensure they are on track to achieve and maintain GDPR compliance.
- Support for Deletion Requests: Smartly has always allowed for users to request deletion of their account and application data. Going forward, we will implement additional product messaging to make this feature more widely known.
- Breach Notification Policy: In line with our current policies, Smartly will promptly inform users of any incidents involving user data.
- Lawful Bases Identification: The GDPR allows for a number of lawful bases for processing data. Smartly is committed to documenting our bases for data processing and will work to inform users in the appropriate manner.
- Product Adjustments: As part of compliance, Smartly will continue to modify the product to ensure we are meeting both regulators' and users' expectations under this law.
The GPDR is a complex law, with many best practices yet to be agreed upon. Smartly is committed to following developments in this area and implementing best practices as they emerge in a timely manner. As a company, we believe the new legal requirements will raise the bar for honoring end users’ rights.