The Receptionist & the GDPR
Updated: June 2020
We have been carefully studying the General Data Protection Regulation (the “GDPR”) to understand the impact on you, our customer, and the necessary actions we need to take to satisfy our obligations under the GDPR. Here is a summary of what we’ve learned and the actions that we are taking when collecting data from the software application on behalf of you, our customer. Please note that this document does not apply when The Receptionist is collecting information on behalf of itself, as a controller. For more information regarding your rights and our practices when The Receptionist is collecting information on behalf of itself, please see our privacy policy located at: https://thereceptionist.com.au/privacy-policy/. Please reach out to us at support@thereceptionist.com should you have any questions.
GDPR Background
The GDPR, the EU’s new privacy law that replaces the Data Protection Directive 95/46/EC, aims to bring order to a patchwork of privacy rules across the EU. If you would like to read the full GDPR, please find it here.
The GDPR is European legislation designed to harmonize data protection across the EU. It imposes new regulations for companies to protect consumers regarding data processing, access, and security, in addition to tougher enforcement for breaches of the rules.
The GDPR was created around six core principles (Article 5) for personal data and the belief that personal data should be:
- Lawfulness, Fairness and Transparency – Processed lawfully, fairly, and in a transparent manner in relation to individuals.
- Purpose Limitation – Collected for specified, explicit, and legitimate purposes and not processed beyond those purposes.
- Data Minimization – Adequate, relevant, and limited to what’s necessary in relation to the purposes for which they are processed;
- Accuracy – Accurate and, where necessary, kept up to date.
- Storage Limitation – Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and Confidentiality – Processed in a manner that ensures appropriate security of the personal data.
The GDPR contains several new protections and threatens significant penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular attention include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on both controllers and processors.
GDPR and The Receptionist
The Receptionist takes its legal and regulatory obligations seriously. Moreover, we take great care to ensure data privacy and security. The core of our business involves the collection of visitor data on behalf of our customers, which almost always includes personal data. We constantly work to ensure we collect, process, and share the data we deal with in a lawful, transparent manner.
There are two primary roles in the GDPR structure: Controller and Processor. Our customers collect data from visitors, and as such, our customers are considered the Controller. The Receptionist, which provides a software application for the collection of data from our customer’s visitors, is considered the Processor. As Processor it is our duty to assist our Controller customers so that they may be compliant with the GDPR.
To that end, we wanted to share with The Receptionist community some information about The Receptionists’ practices and procedures related to data collection and GDPR compliance. There are two important features of our technology that allow our Controller customers to satisfy key requirements of the GDPR:
- Remove visitor records– Through the account administration area, our customers can remove individual visit records so that they are no longer accessible. Those deleted visits then enter a Visit Log Trash, where customers can then permanently incinerate them. Here is a support article describing how to delete a visit, and a support article on incinerating visitor data.
- Set a visitor data retention period– Included in our software is the ability to automatically remove visit records that are older than a certain date. This does not permanently delete the record from our database. Here is a support article describing how to enable this feature on your account. To permanently delete visit data after a certain period of time, read our support article on the auto-incinerate function. Once you have permanently removed visit data from your log, either via the incinerate or auto-incinerate feature, The Receptionist team cannot recover it for you. Exercise caution when using the function to delete records you may still need later on. Note that The Receptionist team cannot incinerate of your visitor info or visit data for you.
Security: The Receptionist platform has a large number of enterprise security features that make us the trusted platform for thousands of companies, ranging from small start-ups to the Fortune 100. The Receptionist has implemented appropriate technical and organizational measures to satisfy the requirements of the GDPR, to ensure the level of security of personal data is appropriate to the level of risk, and to help ensure the protection of the rights of individuals.
Some of the highlights of the security measures we’ve put in place include:
- All information is stored on a secure AWS Amazon server via the Heroku hosting environment.
- All traffic to the application from the iPad and browser is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.
- The Receptionist employs two layers of penetration testing and vulnerability assessment: Third-party security testing of the Heroku application is performed by independent and reputable security consulting firms and CodeClimate to perform code analysis and security assessments of our application prior to deploying to our production environment.
- Our hosting partner, Heroku, utilizes ISO 27001 and FISMA certified data centers managed by Amazon.
- The Receptionist contracts with a third party to perform Penetration Testing as an additional security measure. If you are interested in viewing the results please contact support@thereceptionist.com.
A full overview of our security architecture can be found by downloading our Security PDF Overview.
GDPR Contract Update: Both The Receptionist (Processor) and its customers (Controllers) are jointly and separately responsible for certain actions under the GDPR. Therefore, the GDPR requires shared responsibility to protect an individual’s privacy rights. GDPR Article 28 requires that a contract be in place between a Controller and a Processor. For years, The Receptionist Terms of Service have provided the fundamental legal requirements and obligations regarding data ownership, confidentiality, processing responsibilities, and more.
However, if you would like to execute a separate Data Processing Addendum (DPA) with The Receptionist with GDPR-specific language, please email The Receptionist at: support@thereceptionist.com.