What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. The regulation outlines that EU residents will now have greater control over how their personal data is stored, processed, and used by organizations within or outside the EU or EEA. All organizations that process data of EU residents come under the purview of this regulation, irrespective of their location.
This regulation will come in effect from May 25, 2018.
For more information on GDPR, see EU GDPR Official Website.
Trycon Technologies Private Limited (Scanova) has always been committed to protect the data of its customers and end-users both through robust internal security processes and technological tools, irrespective of the location of our customers and end-users across the globe. But with GDPR coming in effect, the company will take extra measures to ensure that not only is the company GDPR ready and compliant but also provides the necessary tools and capabilities to its customers that allows them to be GDPR compliant with their end-users.
Scanova’s GDPR Compliance
As a Data Controller, Scanova is responsible for the way it collects, processes, and stores customer data. To ensure GDPR compliance, we have taken a series of measures to ensure that Data Subjects not only have full control over data they share but also to ensure that their data is extremely protected in every way.
Here is what Scanova is doing to be GDPR ready:
1. Full Transparency
To honor the ‘Right to be informed’ principle of GDPR, we have:
- Revamped our application interface to ensure that the customer understands in a clear and concise way at each stage what data is required and for what purpose
- Ensured that no Personally Identifiable Information (PII) of the customer can be collected without the explicit consent of the customer
- Added capabilities to our products and services that allows our customers to take consent from their end customers before collecting PII
2. Data Control
To honor the ‘Right of Access’, ‘Right to Rectification’, ‘Right to erasure’, ‘Right to restrict processing’, and ‘Right to Data Portability’ principles of GDPR, we have:
- Setup processes that allow customers to request a download of all data connected with them and serving such requests in a timely manner. Within a short period of time, we will be adding this feature to our application interface to make it easy for our customers to take this action on their own, without any delay
- Setup processes that allow customers to easily edit personal information anytime such as registered email address, billing information, and payment information
- Setup processes that allow customers to request deletion of all data connected with them and serving such requests in a timely manner. Within a short period of time, we will be adding this feature to our application interface to make it easy for our customers to take this action on their own, without any delay
- Setup options via our application interface that allow customers to control how often they receive transaction alerts, notifications, reports, and other content via email communication
Ensured data minimization to ensure that we collect the exact data points we need to serve our customers in the best way possible and to eliminate all unnecessary data points
- Setup processes to ensure that we retain data for a maximum period of 26 months after the customer has ceased to use our products and services through the method of non-subscription (compared to the case of ‘account delete’ where all data is erased immediately)
3. Data Security
As part of our GDPR compliance strategy, we have laid special emphasis on data security measures. Specifically, we have:
- Ensured that all data—at rest or in-transit—is secured via encryption using methods such as AES256 and SSL
- Ensured that access to customers’ data is limited to select personnel only
- Ensured that access to servers and third-party applications are protected using multi-factor authentication to prevent unauthorized access
- Added a layer of registered email verification that ensures only real customers use our products and services, enhancing data protection of end users
- Added a layer of verification of URLs encoded into QR Codes using Google SafeBrowsing API to restrict the use of infected URLs, enhancing data protection of end users
- Setup logging algorithms to our servers and apps to ensure investigation capabilities and accountability
- Setup processes to notify regulatory authorities and affected customers about data breaches within 72 hours