How does Plek deal with GDPR and what does this mean for your organization?
The GDPR (General Data Protection Regulation - AVG or Algemene Verordening Gegevensbescherming in Dutch) has entered into force in May. A lot has been said and written about this - also by us - but for the sake of completeness we have summarized how we deal with GDPR and what this means for Plek customers and users.
GDPR and Plek
Plek meets the requirements of the GDPR. We only collect users' personal data if they are necessary. This is called data minimization. An example of this is our link with Office 365. The information displayed on Plek is stored in Office 365. Plek requests the required information behind the scenes and displays it, but it does not store the data itself.
We collect and process data to ensure that Plek users can use their communication platform. This includes analyzing (anonymized) data to improve Plek. We do not use the information we collect for any other purposes.
Our hosting partner is ISO27001, NEN7510 and ISAE3402 certified and Plek itself complies with the requirements of ISO27001 and NEN7510. This demonstrates that our internal processes are in order and that we safely handle personal data.
GDPR guarantees individuals the right to a.o. data portability, erasure (to be forgotten) and access. Below we will outline how these rights apply to Plek users.
Rights of Plek users
The right to data portability
This is the right to receive and transmit personal data. Plek users can access the data Plek processes about them by navigating to their profile page. You can download this information by printing (to PDF, if desired) or by copy-pasting.
The right to erasure
This is the right to be 'forgotten'. It means that, in certain cases, we have to erase personal data if the data subject asks for this. Because we have a processor's agreement with our customers, such a request has to be submitted to Plek by the respective organization (and not by the respective data subject themselves).
Plek users can edit the information on their profile page themselves. Some organizations require certain profile fields to be filled out. This information can be removed from Plek by deactivating your account. If the admin of your Plek deactivates your account, your profile will no longer be visible and can no longer be found by means of the search engine. You will also no longer be able to receive chat messages or @mentions. You will not be able to log in to Plek anymore, and your profile picture will no longer displayed with posts and other content you posted on Plek.
After 6 months we erase all data from deactivated accounts, except for names and email addresses. If you wish, the admin of your Plek can change your name into your initials, and they can change the email address Plek used to identify you as a unique user (if desired, this can be a fictional email address) in order to prevent your name from being traced.
On Plek, the right to erasure applies in the following situations:
- If Plek does not need the personal data anymore for the purposes they have been collected for or are processed for.
- If Plek received (explicit) permission in the past for processing personal data, but this permission is now revoked.
- If there is an objection to the processing. There are different rights of objection (absolute and relative) on the basis of GDPR.
- If Plek unlawfully processes data.
- If the legally stipulated retention period of the data has expired.
The right to access
This is the right to view your personal data. As we wrote with regard to the right to data portability, every Plek user can see which personal informatino we save about them. We have a processors agreement with your employer (or any other organization whose Plek you can access). This agreement lists:
Why we process data
We do this because colleagues and / or others you communicate with on Plek need this data to be able to work with you. We collect and use personal data for the purpose of internal communication, not for any other (marketing related) purpose.
Which organizations we transfer our data to
We don't transfer personal data to other organizations, but we do use an extensively certified and secure hosting partner called True.
For how long we will keep your personal data
We keep your personal data at least as long as it's required for you to access your Plek environment. If your profile is deactivated, we will retain your data for another 6 months. Messages or other content you posted on Plek will remain available to other Plek users. The profile picture displayed with this content will be replaced by your initials.
Which privacy rights a Plek user has
These are the rights we describe in this blog.
That the organization has a right to file a complaint with the Autoriteit Persoonsgegevens
Please refer to the Autoriteit Persoonsgegevens' website for more information.
Which organizations have supplied us with personal data
This is usually your employer or any other organization you're involved in and whose Plek you can access.
GDPR's impact on your internal communication
Many people are writing about how to deal with customers in a GDPR compliant way, but little is published about GDPR's impact on internal communication. So we hereby provide you with some tips that you can use to get GDPR proof.
Make agreements concerning employees' privacy
Draw up regulations that, among other things, describe in which cases the business interest exceeds an employee's right to privacy.
Teach empoyees about device- and data security, regardless of whether they use work- or private devices. An organization-wide awareness of the risks is a good first step in preventing incidents.
Carry out an audit
Which authorized and unauthorized devices have access to personal data? If you don't know who has access, you cannot prevent incidents and you subsequently cannot take appropriate measures.
Provide computers and phones owned by your organization with an up-to-date operating system, virus scanner, firewall, and a mandatory VPN connection to access the corporate network. Also install software on these devices that requires employees to regularly change their passwords. If employees use private devices, you can impose these types of requirements as long as they are reasonable.
Erase data in case of loss or theft
Make sure the contents of business devices are erased in case of loss or theft. But beware: for BYOD devices this means that private data is also erased. Remote erasure should only be allowed with permission of the employee. Make solid agreements in advance so that you don't have to start discussing the issue after the incident has already happened: you have to be ready for remote erasure at any time.