General Data Protection Regulation (GDPR)

What is it?

The GDPR is an EU Regulation to improve the protection of the personal data of EU citizens and increase the obligations of organizations who collect or process personal data. These new regulations take effect on the 25th of May 2018. The regulations greatly enhance the data privacy and security of our customers and extend to them exercisable rights enabling greater control over one's personally identifiable information. The full specification of the GDPR rights and regulations can be found here

How is Harvard Business Services changing?

Harvard Business Services functions as both a controller and processor of our customers' personally identifiable information (PII). Additionally, we employ a number of sub-processors to which we transmit data for storage or processing beyond feature sets under our immediate control.

As a controller of data, we store PII such as customer names, email addresses, physical addresses, IP addresses, phone numbers and avatars. We use a number of databases through GDPR compliant service providers (MSSQL) to store sensitive customer data.

Harvard is also a processor of customer data. We use customer data to compile legal documents. A number of sub-processors are leveraged by Harvard systems for purposes of financial transaction execution, internal analytics, and system monitoring.

We have a system-wide GDPR compliance effort underway which will manifest itself on the core Harvard website as well as any of our hubs, satellite applications, or other owned properties.

We are both a data controller and data processor and we have several categories of measures to take in order to comply with the GDPR. The general categories are:

  • Auditing data collection and processing processes and protocols
  • Communicating our GDPR responsibility and accountability
  • Collecting explicit affirmative consent to control and process data from our customers
  • Implementing and communicating steps to exercise customer data access rights

Our GDPR compliance processes and procedures are as follows:

Auditing data collection and processing processes and protocols

  • We document the PII data we collect into data flows, data maps, and retention policies.
  • Our privacy policy includes how and why we handle personal data collected by delawareinc.com.

Communicating our GDPR responsibility and accountability

  • Our internal management structure is GDPR aware.
  • We have appointed a Data Protection Officer who leads our GDPR compliance, security, and infrastructure initiatives.
  • We have a technical security and infrastructure team focused on customer data security and regulatory changes.
  • We have a detailed map of the personal data we collect and sub-processors we use.
  • We have Data Processing Addendum contracts with the data processors with whom we share data.
  • We have policies, internal talks, and training for GDPR and data security awareness as well as procedures for handling data breach incidents.

Collecting explicit affirmative consent to control and process customer data

  • We require explicit affirmative consent at or after sign up before usage of Harvard websites.
  • We inform customers of Privacy Policy updates, and we require explicit affirmative consent be recollected upon privacy policy changes.
  • System and marketing emails include unsubscribe utilities.

Implementing and communicating steps to exercise customer data access rights

The GDPR guidelines require processors and controllers give easily executable rights to customers for accessing, updating, removing, cessation of processing, and delivery of their data.

Harvard's customer success and engineering teams coordinate and execute customer data access right requests using the following protocol:

Engagement

  • A customer finds customer success contact instructions in our privacy policy and on delawareinc.com
  • A customer contacts the customer success team at info@delawareinc.com requesting to exercise one or more of their GDPR rights
  • Customer success authenticates the user's identity and acknowledges the request within 48 hours
  • Customer success attempts to resolve the issue themselves
  • (or) Customer success logs the details of the request in our backlog and notifies the Data Protection Officer

Escalation

  • The Data Protection Officer coordinates, defines, and prioritizes steps to resolve the data access request
  • The Data Protection Officer tracks resolution lifecycle

Resolution

  • Harvard's customer success team contacts the requesting customer delivering applicable data packages, captures any further issues, and closes the support ticket


We are operationally GDPR compliant ahead of the May 25th deadline. All delawareinc.com applications and services comply with the regulations and we're happy to see personal data privacy, ownership, and control come to the internet at-large. As a company, we are in full support of the regulation. These are very positive changes for the internet.