Easy Software takes personal data protection seriously. European regulation known as General Data Protection Regulation (GDPR) brings a number of challenges to all organizations and became one of the most resonated business topics.
Our mission is to provide Easy Project clients and basically all Project community with a reliable software which allows fulfilling all duties of Data Processors efficiently.
This document shall provide answers to:
- I am a Data Processor, how can I get GDPR compliant with Easy Project
- I am using Easy Project cloud, is this service compliant with GDPR?
- I need to know if Easy Software has all security processes in place.
1. Terminology
Easy Software is a manufacturer of Easy Project.
Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data. For the purpose of this document, it is your organization.
Data Processor – the entity that processes data on behalf of the Data Controller; in this document:
- Cloud clients of Easy Project: Easy Software is the Data Processor and data are processed in our cloud services based on rules setup by you, the Data Processor, in your Easy Project cloud application.
- Own server users of Easy Project: Easy Software is not a Data Processor. But Easy Project will help you to organize your data properly.
Easy Project is an application that may or may not be used to process data by a Data Controller.
Contact is an Easy Project feature facilitating the use of Custom Fields (specifically in the “Personal Contact” and “Entity Lead” data entity) to differentiate between personal data and other random data uploaded to Easy Project.
2. Introduction
Easy Software as a manufacturer of Easy Project introduces updates of Easy Project in order to help Data Controllers to fulfill their duties arising out of the GDPR regulation.
At the same time, for our cloud clients, this document brings general information concerning Easy Software acting as a Data Processor.
Also, Easy Software declares that as a company with its headquarters in the European Union, it shall facilitate that all processes, contracts, suppliers, data access, and others are fully compliant with GDPR requirements.
For the avoidance of doubt, this document is purely informational and does not include any binding provisions. This document has been drafted in English and shall be considered the only relevant version. Any version of the document translated into other languages is provided solely for the convenience of the User through machine translation and does not carry legal weight. In the event of any discrepancies or conflicts between the English version and any translated version, the English version shall prevail in all matters.
3. Easy Project for all Data Controllers
Easy Project brings the following features to Data Controllers to increase data security and meet the specific demands of GDPR.
- Extended Password policy enforcement
- Definition to use minimum length, usage of big letters, numbers, and special characters in the password
- Time limit for password validity and password repetition control
- Auto sign-off user after a period of time
- Feature to re-enter your password in order to manipulate user roles and privileges
- GDPR specific features:
- Right to be Forgotten: Deleting the Contact is a traditional feature but it may disturb data consistency, reports, etc. as there is a possibility to have Contact linked to projects, Tasks, CRM, and other entities. It can, however, corrupt data about your customer profiling.
- Contact Anonymization: allows deleting data from Contact which makes identifying the person almost impossible via hashing function performed on all personal data; anonymous data about client’s services, tasks, and other information will stay for you to work with on an aggregate, technical and analytical level.
- Right to Access: A specific button that exports Contact details in an automated readable format (XML) to fulfill your obligation to provide information to the data subjects.
- Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those people who need to have access to such data. Easy Project brings a couple approaches to this problem:
- A limitation to access Contacts in general.
- A limitation to access Contacts only for specific Contact types. Typically, everyone can access Contacts with the type Company (companies are not subject to GDPR) and limit access to Contacts with the type Personal only to selected users. So the user without permission may see that there is a Contact linked (see the name alone) but cannot see any other data that may allow personal identification.
- Custom field visibility – certain data can be restricted to be seen only by
- a) User / list of users
- b) User group / list of user groups
- c) User type / list of user types
- User action audits
- Easy Project provides complete logs about user actions including View action.
- Now Easy Project brings a feature to manage the logs in order to fulfill your internal process.
- Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those which are necessary during the data processing.
How to use Easy Project in line with GDPR
- Identify what Personal Data you collect in Easy Project.
- Make internal regulation that all personal data needs to be filled in Custom fields, not native fields of Easy Project. But the recommended approach is to make a decision that all personal data has to be stored on Contacts only.
- If you would like to use Anonymization, the Right to be Forgotten, and the Right to Access you shall have a regulation that all personal data has to be on Contacts.
- Identify what data are subject to erasure for Anonymization – you can do it in Contact’s custom field settings.
- Decide which users of Easy Project need access to Contacts and limit access by Contact type.
- If you need all users to access all Contacts, but some shall see a limited data set, just set the custom field visibility.
- Identify what custom fields outside Contacts need to be protected and set data visibility accordingly.
- Increase password policy enforcement of Easy Project.
- Right to be Forgotten and Right to Access:
- We recommend defining a Project Template which would formalize all steps to delete personal data from all systems in great detail. Once a request comes you can simply document that all steps were done according to your internal process.
- Create a regulation for how long you need to keep user action audit data (logs) and configure it accordingly in Easy Project.
4. Easy Project in cloud
Easy Software provides Easy Project as a service in the cloud. For cloud clients, Easy Software acts as a Data Processor. As a Data Processor, we fulfill GDPR requirements thanks to the following:
- Easy Software implemented technical and process measures to limit potential access to data only to exceptional and requested occasions as well as other required technical, administrative, and organizational to be fully compliant with GDPR. The specific list of the measures and other terms of data Processing is subject to a duly concluded Data Processing Agreement.
- If you are an EU organization, it is guaranteed that your Easy Project instance (and so data and their backups at disaster recovery sites) are stored within the EU.
- Easy Software uses only verified Data Centers with high-end security and all relevant ISO certifications. Details can be provided upon request.
- Regular backups, HTTPS for browsers, and SSH-2 encryption are used for the backup transfer. Firewalls limited to HTTPS and other regular settings are meeting GDPR requirements. You may learn more about clouds here.
- Security can be further increased with Private Cloud service where individual security can be extended by an individual configuration of the dedicated server (HW). In such cases, you are fully responsible for all security and organizational features.
5. Easy Software and your personal data
Easy Software is a manufacturer of Project Management platforms. Easy Software is business a business commercial organization. It means that all data collected serves to support Easy Software’s business and services for organizations.
As per GDPR regulation, there are data of individuals collected as well and those are considered as data under the protection of GDPR.
5.1. Personal data collected
- Name and surname
- Telephone
- Company
- Position at the company
- Achieved trainings and certifications gained for products of Easy Software
- History related to visiting of Easy Software product pages.
- IP Address
5.2. Purpose of data collection, processing, and profiling
Easy Software collects data for following purposes:
- Setup a commercial co-operation with organizations. And for that purpose, Easy Software may collect data about contact persons in such organizations.
- Provide service for existing customers (organization and for that purpose, Easy Software may collect data about contact persons in such organizations.
- Inform customers and potential customers about new features functions, releases, and other messages of both informational and marketing character.
Collection:
- >All information collected about individuals is gathered through contact forms, proper communication channels directly from the organizations and/or persons, and/or publicly available data (e.g. data from commercial registers).
Data combination and profiling:
- Easy Software processes data through automated means but does not profile any individuals nor are any individuals subject to automated decision-making that would have an impact on the respective individuals. All data collected serves only as a contact information within an organization and is used accordingly with such purpose.
- Easy Software profiles organizations for statistical, marketing and business purposes. Personal Data are not subject to these analyses.
- Easy Software combines all data in its own information system (Easy Project) on Entity Contact or Entity CRM.