On AssetSonar’s GDPR Compliance

On AssetSonar’s GDPR Compliance

AssetSonar is fully GDPR compliant.

This post will take you through what this means, and shed light on the functionality we’ve added to become compliant with the General Data Protection Regulation (GDPR).

What role do I play within the GDPR compliance framework?

In order to understand your place within this regulation, we need to flesh out three roles:

  • Data Processor: The body that processes personal data on another body’s behalf.
  • Data Controller: The body that determines the purpose and means of processing the personal data provided.
  • Data Subjects: The individuals whose data is being processed.

There are two ways in which the GDPR terms might apply to you.

  1. You as the Data Subject:
    You are a citizen of the European Union and your data is being stored in AssetSonar. That makes you our Data Subject. Therefore, we must abide by the terms of our GDPR compliance to ensure we respect your data rights.
  2. You as the Data Controller:
    We are the Data Processor, processing the data of your end-users on your terms. This makes you the Data Controller, and your end-users (such as staff and vendors) the Data Subjects. Therefore, you must abide by the terms of GDPR to ensure you respect the data rights of your end-users.

In short, AssetSonar is not only GDPR compliant itself, but also enables you as a Data Controller to become GDPR compliant. You can read on to see how this plays out with reference to the new functionality we’ve added to AssetSonar.

How did AssetSonar become GDPR compliant?

AssetSonar‘s Data Protection team followed industry best practices to draft a roadmap to GDPR compliance. This included mapping data flows into and from our organization, and using this to identify risks in our data processing workflows. We then began carrying out the necessary data protection impact assessments, all of which ultimately culminated in the following:

Data Security

We take your data security extremely seriously. To this end, we have combined new and existing security features to lower the chances of data breaches — either at our end or at the hands of Data Subjects.

  • We are ISO 27001 certified. This is an international standard describing best practices for all information security management systems.
  • All the data we process is encrypted using the AES-256 encryption specification.
  • Our in-depth Access Control features enable you to set permissions for your employees.
  • We are hosted on the Amazon Web Server (AWS). For more information on the security measures they have in place, click here.

GDPR Compliance: You as a Data Subject

We’re providing you as a Data Subject with a list of tools that can help you with your data rights. These tools will provide you with:

  • The ability to view or edit your profile information that has been added to AssetSonar.
  • The ability to receive information on any data collected on you, including the purpose of gathering the data, and the duration for which it will be stored by us.
  • The right to call for the access, alteration, or deletion of said data.
  • The right to opt in to certain features, such as email marketing, newsletters, SuperUser access, etc.

The ability to send complaints and queries specifically related to the GDPR directly to the AssetSonar Data Protection team.

Data Erasure

Data is backed up every 8 hours. Customers’ data remains in the backups for 6 months after termination of their account. If a customer wants their data to be removed from the backups they must send in a request to infosec@ezofficeinventory.com.

GDPR Compliance: You as a Data Controller

We’re also providing you as a Data Controller with a list of tools and features that can enable you to achieve GDPR compliance with ease. These provide you with:

  • The ability to log the details of your Data Protection Officer and EU Representative.
  • Updated Terms of Service and Privacy Policy.
  • The ability to manage data in accordance with GDPR standards.

We already have rich features in place to support the management of our customers’ data. To expand on this functionality for GDPR compliance, however, we’ve added the following new features:

1. Declaration of Consent

You will be able to inform relevant Data Subjects — such as users and vendors — that their information is going to be kept in the system. For this purpose, we’ve extended your ability to send confirmation emails to all such parties, such as:

  • Users registered through LDAP/SAML
  • Non-login users (that is, users who don’t have the ability to log into the system)
  • Vendors created

These emails also prompt users to choose whether they would like to receive notifications from AssetSonar.

2. Data Portability

Data Subjects will be provided the right to data portability. This means they can request access to all their data. For this purpose, we’ve extended your ability to export data by adding the following categories to AssetSonar reports:

  • Vendors
  • Members

3. Data Erasure

Data Subjects can request all their data to be deleted from the system. The GDPR refers to this as the right to be forgotten. We have a new deletion feature out to accommodate this.

In order to preserve the integrity of our users’ data, however, in some cases, we simply redact personally identifiable information so that your records remain consistent. This happens in cases when individuals are associated with Purchase Orders, Work Orders, services, items, or any other items that might affect our customers’ data history.

About AssetSonar

AssetSonar is a powerful IT Asset Management solution used by IT-intensive organizations and businesses all over the globe. We’re committed to protecting your digital rights. Our database is built on the secure framework of AWS and we’re fully GDPR compliant.

Sign up today for a free 15-day trial.

For more assistance, drop us an email at support@ezo.io. You can also visit our blog for detailed support posts. If you have any questions around this issue, feel free to write to us at support@ezo.io