Easy Software takes personal data protection seriously. European regulation known as general Data Protection Regulation (GDPR) brings a number of challenges to all organizations and became one of the most resonated business topics.
Our mission is to provide Easy Redmine clients and basically all Project community with a reliable software which allows fulfilling all duties of Data Processors efficiently.
This document shall provide answers to:
- I am Data Processor, how can I get GDPR compliant with Easy Redmine
- I am using Easy Redmine cloud, is this service compliant with GDPR?
- I need to know if Easy Software has all security process in place.
1. Terminology
Easy Software is a manufacturer of Easy Redmine.
Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data. For the purpose of this document, it is your organization.
Data Processor - the entity that processes data on behalf of the Data Controller; in this document:
- Cloud clients of Easy Redmine: Easy Software is the Data Processor and data are processed in our cloud services based on rules setup by you, Data Processor, in your Easy Redmine cloud application.
- Own server users of Easy Redmine: Easy Software is not a Data Processor. But Easy Redmine will help you to organize your data properly.
Easy Redmine is an application which may or may not be used to process data by Data Controller.
2. Introduction
Easy Software as a manufacturer of Easy Redmine introduces updates of Easy Redmine in order to help Data Controllers to fulfill their duties coming out of the GDPR regulation.
At the same time, for our cloud clients, this document brings information about Easy Software as Data Processor.
Also, Easy Software declares, that by the effective date of GDPR all processes, contracts, suppliers, data access and others will be fully compliant with GDPR requirements
3. Easy Redmine for all Data Controllers
Following description and features will be deployed/updated until the end of April 2018.
Easy Redmine brings following features to increase data security and specific demand of GDPR to Data Controllers.
- Extended Password policy enforcement
- Definition to use minimum length, usage of big letters, numbers and special characters in the password
- Time limit for password validity and password repetition control
- Auto sign-off user after a period of time
- Recently added a feature to re-enter your password once manipulating with user roles and privileges
- GDPR specific features:
- Right to be Forgotten: Deleting the Contact is a traditional feature but it may disturb data consistency, reports etc. as there is a possibility to have Contact linked to projects, Tasks, CRM and other entities. Also, it would corrupt data about your customer profiling. Contact Anonymization would allow deleting data from contact which would allow identifying the person, but anonymous data about client’s services, task and other will stay.
- Right to Access: A specific button which would export Contact details in automated readable format (XML) would fulfill your obligation to provide personal information what data you collect.
- Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those people they need to have access. Easy Redmine brings couple approaches to this problem:
- A limitation to access contacts in general.
- A limitation to access Contacts only for specific Contact type. Typically, everyone can access Contacts with type Company (companies are not subject to GDPR) and limit access to Contacts with type Personal only to selected users. So the user without the permission may see that there is a contact linked (see the name alone) but cannot see any other data which may allow the personal identification.
- Custom filed visibility – certain data can be restricted to be seen only by
- a) User / list of users
- b) User group / list of user groups
- c) User type / list of user types
- User action audits
- Easy Redmine provides complete logs about user actions including View action.
- Now Easy Redmine brings a feature to manage the logs in order to fulfill your internal process.
- Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those.
How to become GDPR compliant step by step
- Identify what Personal Data you collect in Easy Redmine.
- Make internal regulation that all personal data needs to be filled in Custom fields, not native fields of Easy Redmine. But recommended approach is to make a decision that all personal data has to be stored on Contacts only.
- If you like to use Anonymization, Right to Forget you shall have a regulation that all personal data has to be on Contacts.
- Identify what data are subject to erasure for Anonymization – you can do it in Contact’s custom filed settings.
- Decide what users of Easy Redmine need access to Contacts and limit access by Contact type.
- If you need all users to access all contact, but some shall see limited data set, just set the custom field visibility.
- Identify what custom fields outside Contacts needs to be protected and set data visibility accordingly.
- Increase password policy enforcement of Easy Redmine.
- Right to forgot:
- We recommend defining a Project Template which would formalize all steps to delete personal data from all systems in great details. Once a request comes you can simply document that all steps were done according to your internal process.
- Create regulation for how long you need to keep user action audit data (logs) and configure accordingly in Easy Redmine.
4. Easy Redmine in cloud
Easy Software provides Easy Redmine as a service in the cloud. For cloud clients, Easy Software acts as Data Processor. As a Data Processor we fulfill GDPR requirements thanks to following:
- Easy Software implemented technical and process measures to limit potential access to data only to an exception and requested occasions.
- If you are an EU organization, it is guaranteed that your Easy Redmine instance (and so data and their backups at disaster recovery sites) are stored within the EU.
- Easy Software uses only verified Data Centers with high-end security and all relevant ISO certifications. Details can be provided upon request.
- Regular backups, https for browsers, SSH-2 encryption is used for the backup transfer. Firewall limited to HTTPS and other regular settings are meeting GDPR requirements. You may learn more about clouds here.
- Security can be further increased with Private Cloud service where individual security can be extended by an individual configuration of the dedicated server (HW).
- Easy Software Ltd. Is a UK company but the GDPR regulation was implemented in all aspects of an organization and for all products and services.
5. Easy Software and your personal data
Easy Software is a manufacturer of Project Management platform. Easy Software is business to business commercial organization. It means that all data collected serves to support Easy Software’s business and services for organizations.
As per GDPR regulation, there are data of individuals collected as well and those are considered as data under the protection of GDPR.
5.1. Personal data collected
- Name and surname
- Telephone
- Company
- Position at the company
- Achieved trainings and certifications gained for products of Easy Software
- History related to visiting of Easy Software product pages.
- IP Address
5.2. Purpose of data collection, processing, and profiling
Easy Software collects data for following purposes:
- Setup a commercial co-operation with organizations. And for that purpose, Easy Software may collect data about contact persons in such organizations.
- Provide service for existing customers (organization and for that purpose Easy Software may collect data about contact persons in such organizations.
- Inform customers and potential customers about new features functions, releases and other messages of both informational and marketing character.
Collection:
- All information collected about individuals are gathered through contact forms.
- Easy Software does not possess or use data about individuals from external sources.
Data combination and profiling:
- Easy Software does not profile any individuals, all data collected serves only as a contact information within an organization.
- Easy Software profiles organizations for marketing and business purposes. Not subject to these analyses.
- Easy Software combines all data in the own information system (Easy Redmine) on Entity Contact or Entity CRM. Any other system uses only data fragments and hence are not considered as data under GDPR.