EdTech,  Kami News

How we’re preparing for GDPR

Our commitment on the upcoming EU Data Regulation.

The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect from May 2018.

At Kami, we’ve been working hard to prepare for GDPR, to ensure that we fulfill its obligations and maintain our transparency about customer messaging and how we use data.

I’ve been working with our legal, engineering and operations teams to figure out how to convert GDPR legal provisions into tangible actions. We’ve been asking lots of questions, and our customers have been asking us questions.

Here’s an overview of GDPR, and how we are preparing for it at Kami:

What is GDPR?   

The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It will be a single set of rules which govern the processing and monitoring of EU data.

Does it affect me?

Yes, most likely. If you hold or process the data of any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not. It applies to us when users based in Europe register a Kami account.

How is Kami preparing for GDPR?

Our teams have been working to define our GDPR roadmap. Because we already have processes, technology and policies in place to comply with US data privacy laws related to the use of online technology in schools, this is a less significant overhaul of processes and data models to make sure we’re meeting our legal obligations than other organizations may face. We are always committed to doing the best thing for our customers while still letting us move fast, scale and build great products.

Here are the main things we’ve been doing to ensure we’re enabling ourselves and our customers to meet GDPR obligations:

We’re adding new features

Our teams are building the necessary features that will enable our customers to easily and fully delete all data linked to an individual user. Meantime, we continue to fulfill this requirement based on an emailed request.

User’s files are stored on their local or cloud storage, and the user profile can be obtained within the App, fulfilling requirements for export of all data linked to an individual end user.

We’re updating our Data Processing Agreements (DPAs):

Strong data protection commitments are a key part of GDPR’s requirements. Our updated Data Processing Agreement shares our privacy commitments and sets out the terms for Kami and our customers to meet GDPR requirements. This is available for customers to sign upon request.

We’re appointing a Data Protection Officer

We’re appointing a Data Protection Officer to oversee and advise on our data management.

We are complying with EU ‘Adequate Standard’ requirements for international processing of data

The GDPR requires is that, when any EU personal data is hosted or processed outside of the European Economic Area, it must remain protected to an adequate standard in line with EU law.

There are a few ways that Kami achieves this. First, some of our EU customers’ data is processed in New Zealand (where our Headquarters are located). New Zealand is recognised by the EU as a territory that ensures an adequate level of data protection (refer to the decision on the 19th December 2012 – 2013/65/EU: Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament, and of the Council on the adequate protection of personal data by New Zealand (notified under document C(2012) 9557) Text with EEA relevance. Data processing in New Zealand is therefore entirely compliant with GDPR.

When we hold EU customer data in other territories, like the US, we take other ‘Appropriate Safeguards’ that are prescribed by the GDPR. Specifically, we enter into Data Processing Agreements with Customers who require this. We rely on EU Standard Contractual Clauses (also called Model Clauses) published by the European Commission to protect EU data. These are standard form data export agreements that have been approved by the European Commission as a lawful basis for transferring personal data to non-EEA countries like the USA. Our standard Data Processing Agreement is available to sign upon request.

We’re working with our vendors

We’re reviewing all our vendors, finding out about their GDPR plans and arranging similar GDPR-ready data processing agreements with them.

To comply with EU data protection laws around international data transfer, we have already verified that our US-based cloud hosting providers have self-certified under the E.U.-U.S. Privacy Shield framework. The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data.

  • AWS has self-certified under the program – AWS’s Privacy Shield certificate. AWS also announced compliance with the CISPE Code of Conduct. The CISPE Code of Conduct helps cloud customers assess how their cloud infrastructure provider complies with its data protection obligations under the GDPR.
  • Google has committed to applying the Privacy Shield’s principles and safeguards to EU-U.S. transfers of personal data. No action is required on their customers’ part to benefit from the protection of this framework. Google’s certificate will soon be accessible here.

We’re taking new security measures

Security is a priority for us. We undertake regular security audits and penetration tests. We’ve built a robust security framework over the past couple of years, following International Compliance standards and reviewing our internal access design to ensure only the right people have access to the right level of customer data. More details of our security measures are available on request.

We’ll keep sharing information on our progress, and we’ll also help our customers and prospective customers be compliant. Some steps you can take are:

  • Get familiar with the GDPR requirements and how they affect your organization.
  • Map out everywhere you process data and carry out a gap analysis.
  • Consider how you can leverage Kami to help with your GDPR compliance. Our security measures are available to customers on request.
  • Look at your product roadmap, think about privacy when you’re planning.
  • Chat with your lawyer about what your organization needs to do to.
  • Keep an eye on the developing guidelines from the GDPR Article 29 Working Party

Questions?

Feel free to reach out to us through our In-App support chat or email us at privacy@kamihq.com if you have any questions about GDPR – we’d be happy to chat with you about it.

Bob Drummond
Bob Drummond

Latest posts by Bob Drummond (see all)