The Chat Shop + GDPR
Data Privacy in the EU
Understanding data privacy in the European Union (especially with the new GDPR) can be as frustrating as straightening out a tangled thread. The EU/EEA have a few different policies in place so that when companies capture personal data, they’re honest and transparent about why they want it, where they’re storing it, why they’re processing it, and who gets their hands on it. Basically, these laws and directives ensure a protected flow of data from individuals to companies they trust and any other party that company trusts.
A Brief History of EU Data Privacy
Let’s bring it back to the 1940s. After World War II, the council that became the EU formed and passed the European Convention on Human Rights. The proto-EU did this to guarantee certain freedoms and rights across its member states. One of those new, important rights was a person’s right to privacy of correspondence. That’s a big one. The right to privacy in correspondence became tighter and with more caveats attached as new tech in the 20th century brought in new ways of communication.
In 1980, Baby-EU and the Organization for Economic Cooperation and Development (OECD) drafted a new framework (inventively called Treaty 108) to regulate automatic processing of personal data. Basically, 108 gave us all the aspects of data privacy we’ve come to know and love (or love-hate) like:
- Obtaining and processing data fairly and lawfully
- Collecting data in an adequate, relevant manner
- Maintaining adequate security of data
- Deleting personal data
- Keeping data only as long as it benefits parties involved
And in 1995, we got the last major update to EU data privacy, and it was a big one: The European Data Protection Directive (DPD for short). This bad boy gave substance to all the promises of Treaty 108 and then some. It basically acted (and still acts) as a template for compliance around the bare minimums companies and governments can do for data privacy in the internet age. We got new standards and protections that mean our sensitive data isn’t hanging out on someone’s desk in an unlocked office. It also means we need consent to process and control data and have to scrutinise all of our business partners, especially partners who are based outside the European Union, for possible data security breaches. And that’s how we got…
The EU-US Privacy Shield
Everything you know and love that enables us to do business across the pond.
In 2016, the Privacy Shield replaced Safe Harbor with a certification process friendly to small and medium businesses and a “blanket” applicability to data transfers between certified US entities and their customers in the EU. But the Privacy Shield added some new commitments over Safe Harbor to data subject rights, protection during onward transfer to sub-processors, and cooperation between the EU and US on alleged infringements and government surveillance.
This is the one you’re all here for.
It’s been 20 years since the DPD; a lot’s changed about how we do business and the transactions we perform digitally. The GDPR is here to help (at least that’s what it keeps telling us). But because we’ve all been hanging out for 20 years, it means that the GDPR is a whopper to get up to snuff with.
The GDPR means some new rights for all of us, including:
The right to be forgotten
Anyone can delete their data
The right to object
Anyone can say no to things like profiling
The right to rectification
Anyone can change or complete their data
The right of access
Anyone can know what data is being processed and how
And the right to data portability
Anyone can transmit their data from one organisation to another (source: regulation pdf)
And companies have some new standards to live up to:
- disclosures when obtaining consent
- consent must be “freely given, specific, informed, and unambiguous”
- clear legal language in those consent declarations that is easily understandable
And some companies have a new job to fill:
- Data Privacy Officer (DPO), who hangs out and reviews compliance with the GDPR
So, what’s The Chat Shop doing about GDPR?
TL;DR: We’re on it.
The Chat Shop’s Approach to Security
Given the intricacies of EU data privacy laws, we know you have questions about security and processing. Using this understanding of The Chat Shop’s different technologies, customers can work with their own attorneys and solicitors to ensure compliance with the laws that apply to them.
Managed chat & Data retention
We’re a data processor of personal information collected on behalf of our clients. The data we collect is all yours to control, so you can follow-up on those nice leads you get!
We keep a copy of the data we send you for a limited time, though. Our Data Retention Policy is a big one, and part of our sustained GDPR compliance agenda to make your data work harder for you.
For our clients and partners who control data, we process and store it with specific timeframes in mind. In our new GDPR-friendly policies, all of your customer data we capture will be retained for 15 months from the time of its acquisition and will be For Your Eyes Only. We’re very 007 like that.
Data hosting & Our partners
We store your chat transcript and escalation data on Amazon Web Services servers located in the UK, Ireland, Germany, and the US. Amazon Web Services maintains ISO 27001, SOC 2 Type II, and several other certifications to demonstrate the rigor of their hosting and infrastructure management programme. You could say they have a License to Kill (not really). Information about AWS certifications is available on the AWS Security Compliance site.
LiveChat store their data in secure data centres in both Frankfurt, Germany and Texas, USA, with transmission under protection from the Privacy Shield. We’re able to offer EU hosting for new dedicated teams and are working with LiveChat to migrate all data to the EU.
We use our HubSpot CRM to help us keep our relationships with you strong. Like any good CRM, it’s used sparingly and updated with only the most relevant information on contracts and communications. None of your customers’ data is ever stored here; this one’s just for The Chat Shop and clients. Currently, the primary HubSpot infrastructure is hosted with Amazon Web Services in the US-East-1 region.
Amending data, Security programme & Other privacy requests
We hope this has provided you a Quantum of Solace regarding the GDPR. Look out for more James Bond-tinged communications from us in the future! If you have any urgent questions, or just want to tell us who your favourite James Bond is, get in touch with your account manager directly or email our privacy team at email@example.com.
We’re always happy to chat.