The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It enforces laws based on a set of principles that businesses which handle personal data of EU citizens should follow.
These fundamental principles state that personal data should be:
Groove takes data privacy and security of our customers very seriously. We're commited to ensuring highest standards of data security - our compliance, data protection, and information security team is working to ensure all our services are ready for GDPR. We are reviewing our data processing activities, and assessing and prioritizing any changes that need to be made in advance of the GDPR. We intend to be GDPR compliant by the GDPR effective date, which is May 25th, 2018.
Groove operates both as a controller and a processor, which means we are and will be implementing changes in both of these areas. Below you will find an outline of topics we are currently working on.
We have security incident management policies and procedures in place which we are expanding to ensure they meet GDPR standards in terms of notification of appropriate regulatory institutions.
In line with GDPR's enforcement of the Right to being Forgotten, we're introducing internal procedures which will streamline this process. We will be also expanding our product features to automate these procedures.
We are investigating the scope of changes required to fulfill this requirement. Our customers enjoy full data portability using our API, which allows them to easily access their data in a portable way as well import data from other systems.
We will be introducing changes to the signup process and the Privacy Policy in order to align ourselves with GDPR's principle of fairness and transparency.
We are reviewing our existing security procedures to see if they need to be amended to fulfill GDPR requirements. We are commited to ensuring the best security for our customers, which means choosing the best hosting providers and data storage solutions, including those having ISO 27001 and PCI Level 1 certifications. We ensure encryption of communication not only between you and our servers but also internally between parts of our application.
We are looking into expanding our Privacy Policy with a Data Privacy Agreement for our EU customers which would include EU Model Clauses. We are working towards a certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.