With the GDPR almost in place, it’s time to review the 3 most important GDPR articles for no-code application platforms. Namely, Processor Requirements, Processing Activities & Security.
The last few months we’ve seen an increased intensity of communications around information privacy, brought on by the impending implementation of the General Data Protection Regulation (GDPR) in de European Union (EU). For WEM, just like for any Software as a Service (SaaS) or Platform as a Service (PaaS) provider processing data about individuals within the EU, this is an important regulation.
WEM welcomes the GDPR: The regulations help unify how we process our customer’s data. More specifically, it clarifies what processes, procedures and administration we should keep in place to be able to guarantee the personal data our customers, the controllers in GDPR terminology, process as part of their business. While there are many important aspects of the GDPR, it is beyond the scope of this article to address them all. These 3 articles, are specifically relevant for data processors like WEM:
Article 28 – defines role requirements of the Processor;
Article 30 – documents required record keeping;
Article 32 – describes security standards. This article will address each of the elements of these articles as they apply to WEM.
In the terminology of GDPR anyone processing data for others, including no-code PaaS providers like WEM are considered a “Processor”. The core of requirements specific to processors are defined in article 28. There are two specific elements I would like to highlight:
• There must be a written agreement** between the controller of the data and the processor. In case customers don’t have an agreement of their own available yet, WEM provides a helping hand: a standard agreement for any of it’s customers planning to or are already processing information covered by the GDPR. The elements that need to be covered as part of this contract include:
– Only process personal data at the direction of the controller. WEM has no access to your data as part of regular business processes and will not process any of your data unless required to deliver your requested services or as required by law.
– We have clear authorization of WEM staff members with regards to handling of customer information. WEM staff is bound by written confidentiality agreements.
– WEM either does all processing ourselves or makes sure anyone we contract keeps at least the same level of standards we are contracted to. Therefore, WEM has agreements with partners we hire resources from to support us in projects.
– The data our customers store with us is always their property and responsibility. WEM will support customers to comply with GDPR regulations. Including returning or destroying your data and supporting you in any audits or other compliance requests.
• The processor should have a written code of conduct regarding data handling and privacy as defined in GDPR paragraph 40. WEM has such a code of conduct and will be updating that document periodically as new guidelines become available.
Article 30: “Records of processing activities” is also important for a processor. Keeping clear and concise records and administration of our processing activities for our customers is key to our business operation. Specifically, when it comes to processing sensitive and private information. As part of our customer portal: WEM.io, our partners or customers can directly record their representatives for GDPR purposes, including their data protection and security officers. In addition, WEM will not transfer customer data to a third country or international organization unless specifically reported as part of the service agreements.
The final article that has a major impact on WEM is article 32: “Security of processing”. The WEM environment is covered by several layers of both technical and organizational measures to ensure security, safety, confidentiality and continuity of data. This includes continuous duplication and encryption, periodic backups, and an organizational structure with clear separation of duties for data and application access. The WEM environment is regularly assessed for technical security both by automated as well as manual processes. Overall implementation is reviewed to ensure continued compliance with state of the art security practices.
The GDPR presents a clear set of rules and guidelines, which provides a basis for a no-code PaaS provider like WEM to maintain safe, secure and compliant processing capabilities for personal information for our customers. Not to forget, WEM has established and implemented a clear data breach response plan outlining organizational policies and procedures for addressing a potential breach. We are happy to comply with the requirements and look forward to working with our customers in making your data safe.
** Similar to the “Bewerkingsovereenkomst”, which has been part of Dutch privacy regulations for some time.