General Data Protection Regulation (GDPR)
What is it?
The GDPR is an EU Regulation to improve the protection of the personal data of EU citizens and increase the obligations of organisations who collect or process personal data. These new regulations take effect on the 25th of May 2018. The regulations greatly enhance the data privacy and security of our customers and extend to them exercisable rights enabling greater control over one's personally identifiable information.
The full specification of the GDPR rights and regulations can be found here
How is Gust changing?
Gust functions as both a controller and processor of our customers' personally identifiable information (PII). Additionally, we employ a number of sub-processors to which we transmit data for storage or processing beyond feature sets under our immediate control.
As a controller of data, we store PII such as customer names, email addresses, physical addresses, IP addresses, phone numbers and avatars. We use a number of databases through GDPR compliant service providers (AWS, Heroku, mLab) to store sensitive customer data.
Gust is also a processor of customer data. We use customer data to compile legal documents, surface content, and facilitate investment-related matchmaking services. A number of sub-processors are leveraged by Gust systems for purposes of financial transaction execution, internal analytics, and system monitoring.
We have a system-wide GDPR compliance effort underway which will manifest itself on the core Gust platform as well as any of our hubs, satellite applications, or other owned properties.
We are both a data controller and data processor and we have several categories of measures to take in order to comply with the GDPR. The general categories are:
- Auditing data collection and processing processes and protocols
- Communicating our GDPR responsibility and accountability
- Collecting explicit affirmative consent to control and process data from our customers
- Implementing and communicating steps to exercise customer data access rights
Our GDPR compliance processes and procedures are as follows:
Auditing data collection and processing processes and protocols
- We document the PII data we collect into data flows, data maps, and retention policies.
- Our privacy policy includes how and why we handle personal data collected by gust.com.
Communicating our GDPR responsibility and accountability
- Our internal management structure is GDPR aware.
- We have appointed a Data Protection Officer who leads our GDPR compliance, security, and infrastructure initiatives.
- We have a technical security and infrastructure team focused on customer data security and regulatory changes.
- We have a detailed map of the personal data we collect and sub-processors we use.
- We have Data Processing Addendum contracts with the data processors with whom we share data.
- We have policies, internal talks, and training for GDPR and data security awareness as well as procedures for handling data breach incidents.
Collecting explicit affirmative consent to control and process customer data
- We require explicit affirmative consent at or after sign up before usage of Gust websites.
- We inform customers of Privacy Policy updates, and we require explicit affirmative consent be recollected upon privacy policy changes.
- System and marketing emails include unsubscribe utilities.
Implementing and communicating steps to exercise customer data access rights
The GDPR guidelines require processors and controllers give easily executable rights to customers for accessing, updating, removing, cessation of processing, and delivery of their data.
Gust's customer success and engineering teams coordinate and execute customer data access right requests using the following protocol:
Engagement
- A customer finds customer success contact instructions in our privacy policy and on gust.com
- A customer contacts the customer success team at gdpr@gust.com requesting to exercise one or more of their GDPR rights
- Customer success authenticates the user's identity and acknowledges the request within 48 hours
- Customer success attempts to resolve the issue themselves
- (or) Customer success logs the details of the request in our backlog and notifies the Data Protection Officer
Escalation
- The Data Protection Officer coordinates, defines, and prioritizes steps to resolve the data access request
- The Data Protection Officer tracks resolution lifecycle
Resolution
- Gust's customer success team contacts the requesting customer delivering applicable data packages, captures any further issues, and closes the support ticket
We are operationally GDPR compliant ahead of the May 25th deadline. All gust.com applications and services comply with the regulations and we're happy to see personal data privacy, ownership, and control come to the internet at-large. As a company, we are in full support of the regulation. These are very positive changes for the internet.