- What is Personal Data?
- Data Processors Versus Data Controllers
- Who Controls the Absorb Data?
- Who Processes the Absorb Data?
- How does ASI Secure Service Data?
- How does ASI Respond to Info Requests?
- When does GDPR start & who is Affected?
- How Will GDPR Impact Data Controllers & Processors?
- How Has ASI Prepared For GDPR?
- How Can ASI Clients Prepare For GDPR?
- Who Can I Contact For More ASI / GDPR Info?
Absorb Software Inc. (ASI) values your business. Our company has over 700 clients in numerous industries across North America, Europe and Australia; each one entrusting us to deliver a superior and intelligently crafted, learning technology solution.
With that comes the responsibility of keeping each client’s service data secure and controlled. So, it’s important for our customers to be aware of our commitment in protecting the information that they share, while they’re doing business with us.
Accordingly, some of the service information our clients collect can be categorized as “personal data” which warrants additional care in order to protect the privacy rights of these individual data subjects (i.e. the users of the Absorb LMS).
These same privacy rights actually empower data subjects to have control over the collection, storage, transfer and use (processing) of their personal data, which is important to every person when it comes to the ownership of their individual information and deserves to be upheld.
- Personal Data is defined as categories of information relating to an identified or identifiable natural person (called a “data subject”) where said data captures the subject’s private, professional or public life in a way that can be used to directly or indirectly identify the person.
- This can be anything from a name, email address, bank details, posts on social networking websites, medical information, or even an IP address.
Data Processors Versus Data Controllers
- Concerning the treatment of data, it’s also important to distinguish between the two types of parties having responsibility for the information:
- Data Controllers are the entities that determine the purposes, conditions and means of the processing of personal data.
- Data Processors are the entities that actually process the personal data on behalf of the data controller.
- Often these responsibilities are split between separate and distinct parties, while in other processing scenarios, the same entity can be responsible for both
- This article provides further details on the types and their responsibilities.
Who Controls The Absorb Data?
- When it comes to the Absorb LMS, our clients are the “controllers” of the information collected and determine exclusively how the software’s service data for their portal will be used and processed.
- However, if a data subject provides their personal data directly to ASI (such as a website visitor, a conference attendee, an employee, etc.) we act as the data controller for that collection of personal data.
Who Processes The Absorb Data?
- As the “processor” ASI is obligated to process the solution’s service data only as directed and agreed to by the controller (client).
- In certain instances, ASI utilizes sub-processors that are also obliged to process data as directed by the controller, a list of which can be found here.
How Does ASI Secure Service Data?
- ASI maintains enterprise grade data security measures to ensure the privacy and protection of our client’s data.
- Our business employs encryption methodologies with a minimum of AES-256 for service data at rest and in transit. And all data in transit is secured using SSL.
- In addition, other policies ensure compliance with data privacy regulations, network security controls and an overview of the SOC II compliance of Absorb’s cloud service provider.
How Does ASI Respond To Info Requests?
- Privacy and data security are equally important to both our customers and ASI.
- Our business only discloses service data to:
- Our data controller “client” to support and meet our contractual agreement; and as requested,
- By Regulatory Authorities to comply with the laws in which we operate.
General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) replaces the outgoing Data Protection Directive 95/46/EC and has been designed to: harmonize data privacy laws across Europe; protect and empower the data privacy of all EU citizens; and, to reshape the way organizations across the region approach data privacy.
When Does GDPR Start & Who’s Affected?
- The GDPR was approved and adopted by the EU Parliament back in April 2016. The regulation will take effect after a two-year transition period and be legally required by May 25, 2018.
- The GDPR applies to all businesses / organizations operating in the EU that process the “personal identifiable data” of EU residents.
How Will GDPR Impact Data Controllers & Processors?
By May 2018, GDPR will be implemented in all local privacy laws across the EU and European Economic Area.
This new regulation puts the individual in control of their personal data, with the obligation of compliance resting entirely on data controllers and processors. To achieve this, the GDPR regulates how personal data can be securely processed, used and transferred; and applies to all businesses and organizations offering goods and services to EU citizens.
Under the GDPR, individuals will have the following informational rights:
The Right to Access
This means that individuals have the right to request access to their personal data and to ask how their data is used by a business / organization after it has been gathered. The controller must provide a copy of the personal data, free of charge and in electronic format if requested.
Absorb Software has created a process to collect and collate this personal data to support our client’s (controller) obligation to meet this right.
The Right to Be Forgotten
This means that individuals that are no longer customers, or that choose to withdraw their consent from a business / organization to use their personal data, have the right to have their personal data deleted.
Absorb Software will take all reasonable steps to erase personal data being processed for our clients as documented in the Data Processing Addendum.
The Right to Data Portability
This means that individuals have a right to transfer their personal data from one service provider to another, which must be carried out using a commonly used and machine-readable format.
Absorb Software will provide the client (controller) personal data in a structured, commonly used and machine-readable format to support the data portability obligation.
The Right to Be Informed
This means that individuals must have the right to be informed before any personal data is gathered by a business / organization. Individuals must opt in for their data to be gathered, with said consent formally and freely given rather than being implied.
Absorb Software has upgraded our product to provide our clients with the ability to upload their Privacy notices (in several languages) so it can be accessed prior to consent.
The Right to Have Information Corrected
This means that individuals have the right to have their data amended if it is out of date, incomplete or incorrect.
Absorb Software is fully amenable to rectifying any inaccurate data, at any time, as directed by our clients as the data controller on behalf of their users.
The Right to Object
This means that individuals have the right to terminate the processing of their data for direct marketing purposes. There are no exemptions to this rule and any such processing must stop as soon as the request is received.
Absorb Software has processes in place to identify and isolate personal data in a manner that prevents further processing.
The Right to be Notified
This means that if there has been a data breach, one likely to result in a high risk to the rights and freedoms of an individual data subject, that person has a right to be informed without undue delay.
Absorb Software has robust processes in place for the unlikely event of a high risk data breach. These processes are designed to support our clients by providing the detail required to make an informed and timely notification to the Data Protection Authority.
Under the GDPR, organizations will be required to demonstrate both the security of the data they are processing, as well as their compliance with the legislation on a continual basis by implementing and regularly reviewing their technical / organizational measures and compliance policies.
How Has ASI Prepared For GDPR?
During our GDPR preparations ASI’s Compliance Office has sought to identify our own data processor obligations under the legislation, as well as those of our data controllers (clients)in order to allow us to anticipate what our customers will need in terms of support in order to achieve compliance on their part.
At present, our Compliance Office is close to finalizing our internal GDPR compliance preparations to be followed by a thorough readiness review, all to be completed well in advance of the May 25, 2018 enforcement date.
Data Processing Addendum
- ASI has also created a Data Processing Addendum to address the General Data Protection Regulations. This Addendum forms part of the master agreement between Absorb Software Inc. and our clients to formalize the parties’ responsibilities / agreement regarding the Processing of Personal Data of our Customers, in accordance with the requirements of Data Protection Laws.
- This addendum facilitates our customers’ compliance obligations under the GDPR by containing a lawful data transfer mechanism (Model Contract Clauses) that is recognized by the European Commission as offering adequate safeguards for transfers from data controllers in the EEA to data processors outside the EEA.
- Taking these model clauses in their entirety within the context of the Absorb contract, ASI’s client will not need to make their own assessment as to the adequacy of protection afforded to the rights of data subjects in connection with the transfer of individual personal data to the Absorb LMS client portal.
What are technical and organizational measures in place for the Absorb LMS?
ASI has implemented a set of technical and organizational measures to ensure that our clients’ data is protected in a manner in compliance with applicable privacy and data protection laws. These measures include but are not limited to the following:
- Hosting infrastructure: The Absorb LMS infrastructure architecture is designed for resilience and high availability, spread over two AWS availability zones (i.e. two physical data centres), enabling a hot/hot data centre strategy.
- Physical security (data processing facilities excluding data centers): All data processing facilities including office areas are secured with controlled access enforced at all entry points. Access rights as well as access logs are reviewed on a regular basis.
- Physical security (data centers): The Absorb LMS is hosted in AWS and relies on AWS for physical security. AWS has implemented a wide range of controls for physical security which can meet the most stringent requirements in the industry.
- Roles and responsibilities: Roles and responsibilities for security and privacy are defined and established.
- Security, privacy and GDPR awareness training: All personnel are required to take the training upon hire and on an annual basis.
- Policies and procedures: Policies and procedures are in place and reviewed on an annual basis.
- Access management: Access control rules are enforced at hypervisor, network, system, storage, application, and data layers. Principles for segregation of duties and least privilege are implemented. Users and access permissions are reviewed on a regular basis.
- Data encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2) to ensure data confidentiality and integrity.
- Data transfer: Where GDPR applies, data transfer outside the EU/EEA is governed by GDPR data transfer rules.
- Data minimalization: The use of data including data sharing is limited to what is necessary for the specific purposes.
- Third parties: Process for managing and monitoring third party access including subprocessing has been established. Absorb has data processing addendum in place with all subprocessors.
- Backup and recovery: Procedures are documented and implemented, and recovery tests are performed on a regular basis
How Can ASI Clients Prepare For GDPR?
To get clients started on their compliance the following excellent resource provides the basic steps required in getting ready for GDPR along with several other links below that will also helpful.
ASI encourages all client data controllers to prepare for the General Data Protection Regulation by reviewing their processes and policies for the necessary compliance and by starting GDRP preparations in the following key areas
- Information You Hold – Map your company’s data to document what personal data you hold, where it came from and who you are (will be) sharing it with.
- Communicating Privacy Information – Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ Rights – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject Access Requests – Update your procedures and plan how you will handle access requests within the new timescales and provide any additional information.
- Lawful Basis for Processing Personal Data – Identify the lawful basis for your processing activity as per the GDPR; afterwards documenting it and updating your organization’s privacy notice to fully communicate / explain it.
- Data Processing Agreement (“DPA”) – In instances where personal data is transferred outside the EEA, an Absorb client may need to have DPAs in place with its sub-processors in order to ensure an adequate level of protection for the transferred data. Absorb’s DPA addresses GDPR and is available here.
- Consent – Review how you seek, record and manage consent and whether you need to make any necessary changes in order to meet the GDPR standard.
- Data Breaches – Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection Officers – Designate someone in your organization to take responsibility for data protection compliance and assess where this role will sit within both your governance arrangements and HR structure. (And while you are at it, consider whether you are required to formally designate a Data Protection Officer.)
- Data Protection Impact Assessment (“DPIA”) – GDPR requires data controllers to carry out Data Protection Impact Assessments ("DPIAs") in cases of potentially high-risk processing activities, as well as consult supervisory authorities ("SAs") in certain instances.
Under the GDPR, data controllers will also be required to undertake DPIAs prior to data processing and the introduction of new technologies likely to result in a high-risk for the rights and freedoms of individuals.
Completed DPIAs usually describe an organization’s data processes and protective measures, again particularly those that may potentially be high-risk. For riskier data processing activities, customers are strongly encouraged to conduct and file a DPIA with authorities.
Who Can I Contact For More ASI / GDPR Info?
Should you have any questions on the ways in which Absorb Software Inc. is preparing for its compliance with the upcoming enforcement of the General Data Protection Regulation, please feel free to reach out to our company’s Compliance Office by emailing us at: