HaloITSM GDPR Statement
This document will outline how General Data Protection Regulation (GDPR) affects HaloITSM, and customers of HaloITSM; including what action we have taken in response, and the information you need as a customer of HaloITSM to best comply with these new laws coming into force on May 25th, 2018.
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will become effective from May 25th, 2018. Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data. HaloITSM is well aware of its role in providing the right tools and processes to support its users and customers meet the compliance standards.
At HaloITSM, we have always honoured our users’ right to data privacy and protection. We have never relied on advertising as a revenue stream. We have never served ads to our users, and never will. This means that we have no necessity to collect and process users’ personal information beyond what is required for the functioning of our products.
Over the past 20+ years, we have demonstrated our commitment to data privacy and protection. We already have strong Data Processing Agreements, and we are revising them to meet the requirements of the GDPR. We recognise that the GDPR will help us move towards the highest standards of operations in protecting customer data.
How is HaloITSM preparing for GDPR?
The HaloITSM product has been developed since 1994, meaning we have over 2 decades of experience in the industry. We have 40+ on-premise and cloud applications used by 100,000+ in over 40 countries. HaloITSM is gearing up to be GDPR compliant across all of its applications, by the time the regulation comes into effect. As a data processor, HaloITSM understands its obligation to help customers get ready in a timely manner. We have taken the time to thoroughly analyse GDPR requirements and have put in place a dedicated internal team to guide our organisation to meet them. Some of our ongoing initiatives are:
- Identifying personal data – Each of our 40+ different applications undertakes a different level of personal data collection, usage, storage and disposal. Defining the purview of personal data for each of these applications and documenting the various sources of data will go a long way in providing a roadmap for compliance in the days leading up to the implementation.
- Providing visibility and transparency – The most important aspect of GDPR is how the collected data is used. As a data processor, HaloITSM’s key role is to provide our customers (the data controllers) with the access to effectively manage and protect their user data. HaloITSM is exploring ways to make optimal product enhancements without compromising on performance so that we can provide better transparency to our customers.
- Enhancing data integrity and security – Data privacy and data security are closely linked. As our customers tighten their data security measures, HaloITSM would like to extend a helping hand. We’re streamlining the processes for our cloud applications by implementing IT policies and procedures that provide end-to-end security.
- Portability and transferability of data – GDPR gives end users the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. With this new right in mind, HaloITSM is working on further enhancing its data exporting capabilities to enable export even at the individual level.
What Personal Data is Collected and How it is Collected
How Long is Personal Data Retained
If you provide information to us to request a demo, we will keep that information for up to twelve months after your last communication with us.
We will keep personal information provided by customers for up to three months after the end of our business relationship and subject to our SaaS agreement. All payment information will be deleted three months after processing, unless we are required by law to keep it longer.
If you contact us directly using the contact information provided on the HaloITSM website, we will retain your contact information for a period of up to three months after we respond to your inquiry. After that, the communications will be deleted from our system, unless we are required by law to retain it longer.
The HaloITSM website and platform were not developed or intended for individuals that are deemed to be children under applicable data protection or privacy laws, and we do not knowingly collect information from children.
Legal Basis for Processing
If you are a user of the HaloITSM website or platform located in the EEA, we rely on legitimate interest as the legal basis for processing the personal data we collect via the website and platform.
In connection with the operation of our website, HaloITSM may engage third parties (each a “Subprocessor”) to process your personal data. As a condition of permitting a Subprocessor to process your personal data, HaloITSM will enter into a written agreement with each Subprocessor containing data protection obligations at least as protective as the technical and organisational measures HaloITSM has put into place to protect your personal data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
We use the following Subprocessors to operate our website and provide our services:
|Name||Subprocessing Activity||Country of Origin|
|Amazon Web Services, Inc.||Cloud Service Provider||United States|
|Microsoft Corporation||Infrastructure and Collaboration||United States|
|DocuSign Inc.||Contract Signing||United States|
|Intuit Inc.||Subscription & Billing||United States|
We’ve added a new feature that will enable you to easily and completely delete all data linked to an individual user.
There is functionality for data anonymisation within Halo, this exists within the Customer module with direct effect to the database user records. This is designed to replace the users name-value string with an anonymous user, in the event of a customer or employee leaving your organisation.
We’ve created a new Data Processing Agreement (DPA) that explains the privacy considerations in place and our terms for meeting GDPR compliance.
If you are a current Halo customer who would like to enter into a DPA with us, you can do so by emailing or calling your dedicated account manager to request a DPA agreement.
You’ll need to download, review, and sign the agreement. You can then return it back to us by sending to: email@example.com.
We have appointed a Data Protection Officer to oversee and maintain policies as they relate with data management.
To contact the Data Protection Officer at any time, please reach out to firstname.lastname@example.org.
We’ve also augmented our team training to accommodate needs associated with GDPR.
We currently utilise AWS services for data centres within the European Union, of which are self-contained and completely isolated units which are solely used for European customer accounts to ensure compliance. All of the data for these EU apps are completely isolated to these servers, including backups, to ensure no data ever leaves the EU. This data is 100% encrypted.
If you are unsure if your data is currently housed in our EU data centre, you can check with your dedicated account manager via phone or email to check.
What does this mean for our customers?
We understand that meeting the GDPR requirements will take a lot of time and effort. And as your partner, we want to help you make your process as seamless as possible so that you don’t have to worry about compliance and allow you to focus on more important matters.
Depending on the type of agreement you have with us, this will have different implications to how GDPR will affect you:
Cloud Purchase: If HaloITSM hosts your help desk, it will be on your own dedicated server – ensuring optimum performance and security. All of your information will remain secure and only accessible by those you give permission to. For GDPR, you will benefit from our enhanced reporting service for any activity taking place on our servers. With our secure AWS Servers, you can be rest assured your European Citizen data will be based out of the UK in compliance with GDPR.
On-Premise Purchase: If you Benefit from installing HaloITSM onto your own servers. Then you will still be able to benefit from the additional features coming in to help you comply with GDPR.
If you wish to upgrade to our hosted service to benefit from increased security and monitoring capability, please contact: sales@HaloITSM.com.
Some of our product enhancements are about to make it easier for you to:
- Provide access controls
- Encrypt, anonymize or delete user data
- Perform data audits or assessments using data processing logs
- Create provisions for data subjects rights
- Enhance security for user data
What should you do to be GDPR-ready?
If you are just getting started with GDPR compliance in your organization, here’s a quick to-do list to keep in mind.
- Create a data privacy team to oversee GDPR activities and raise awareness
- Review current security and privacy processes in place & where applicable, revise your contracts with third parties & customers to meet the requirements of the GDPR
- Identify the Personally Identifiable Information (PII)/Personal data that is being collected
- Analyse how this information is being processed, stored, retained and deleted
- Assess the third parties with whom you disclose data
- Establish procedures to respond to data subjects when they exercise their rights
- Establish & conduct Privacy Impact Assessment (PIA)
- Create processes for data breach notification activities
- Continuous employee awareness is vital to ensure continual compliance with the GDPR
For any requests for further information, to exchange Data Processing Agreement (DPA)’s and urgent reporting requests, please contact us: email@example.com.