Introduction

At Autino, data is at the heart of everything we do, and the security of that data is very important to us and our customers, and of course, to your customers.

With the advent of the new EU GDPR (General Data Protection Regulation) legislation coming into force on 25th May this year, we have been preparing our systems, policies and procedures to reflect the tighter rules that we need to work within. We have been doing this across all our products and services and this article sets out the details of how we are ensuring that we are GDPR-compliant come 25^th May.

It is our stated goal that the use of our products and services does not impose any GDPR-related burden on you, your processes, or your customers.

Basic principles

In addition to the new aspects of data protection that GDPR covers, the basic data security and privacy principles that Autino work to are:

1. Your data is yours, not ours - the data that you enter into Autino's systems is created by you and therefore owned by you. In GDPR-parlance, you are the data controller, and Autino is the data processor.
2. We will only process your data for the purposes of running our service for you - we do not share your data with anyone else not directly involved in providing the service.
3. Data is retained for the minimum amount of time – if you leave us we will remove your data from the service if requested and if it is legal for us to do so.

How GDPR impacts Autino’s product and services

Autino’s SaaS services are very much data-centric and as a result, we design them from the outset to follow the data privacy and protection principles that all Autino's services adhere to.

GDPR has, however, widened the scope to give people much more control over how their data is stored and used, and made organisations that do the storing and using, be more transparent in this area.

People’s data is now even better protected by law, and this is achieved through organisations applying the following main principles mandated by GDPR:

1. GDPR affects non-EU based organisations if they process the data of EU citizens (this does not affect Autino as we are based in the UK)
2. The definition of what constitutes personal data is now broader than it was before
3. Consent is needed to process the data of people under the age of 16
4. Consent is required for a wider range of data processing (data use) scenarios
5. Specific data protection roles may be required within an organisation
6. Privacy risk assessments are required when new products/services are introduced
7. Data breaches must be reported much sooner to the relevant bodies
8. Data subjects (people) have the right to be forgotten and the right to request a copy of their data
9. Data processors (e.g. Autino) have more responsibilities to the data controllers than before (you, our customers)
10. Data protection must be designed into products and services.

Not all GDPR requirements are relevant to how Autino stores and processes data, but where they are, the following statements apply:

1. Autino operates from offices within the EU (Reading, Berkshire) but our systems are hosted by our trusted partners both within and outside of the EU. Please see our Privacy Policy for more details of what data is stored for the service that you use.
2. How we store and process (use) people’s data is clearly described in our Privacy Policy.
3. The requirement to protect data and keep it private is designed into all of our products including, but not limited to, the principles bounded by:
1. Secure software design
2. Security testing, vulnerability scanning, website penetration testing
3. Security awareness training
4. Using only ISO 27001:2013 certified hosting services.

Need to learn more?

For more information please about GDPR at Autino, please email infosec@autino.com.

For more information on GDPR, please see the ICO website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

v5, 05Apr18