To review our most recent update on GDPR please click here

About GDPR

The General Data Protection Regulation (GDPR) is a new European data protection law that will provide greater data protection for individuals in the European Union (EU). Under this new regulation, EU residents will have greater say over their personal data and how it is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data. At Q4, we're ensuring our systems and processes are compliant for the GDPR’s effective date of May 25, 2018.

Q4’s Commitment

As always, Q4 takes a customer-first approach in the way we build products and work with our partners and customers. We are working to bring our suite of products into compliance with the GDPR by May 2018 and will be making updates to products and terms to ensure customer and partner data is managed and shared in compliance with the GDPR.

How is Q4 preparing for GDPR?

Q4 understands its obligation to help customers get ready for GDPR’s go live date. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team to drive our organization to meet them. Some of our ongoing initiatives include:

Data Mapping and Assessment

  • Conducting an audit of all our applications to document any interaction with personal data
  • Reviewing agreements with our vendors and suppliers to ensure their GDPR compliance standing as well as preparing our own Data Processing Addendum

Employee Training and Awareness

  • Developing training programs to ensure our staff are aware of their obligations with the handling and treatment of personal data

Data Transparency and Subject Access Requests

  • Setting up of process and procedures to handle Subject Access Requests and with keeping data portability and transferability in mind for GDPR, enhancing the product to export data at individual level
  • Updating privacy policy to provide visibility and transparency of individual data collected, held and used

Lawful processing, Consent and best practices

  • Assisting our clients with GDPR best practices such as consent language and mechanisms

Security and Data Integrity

  • Implementing and enhancing data integrity and security technical controls such as encryption both at rest and in motion, pseudonymization, privacy by design and default and minimization of personal data where required.
  • Build Incident response policies and a Crisis management team to respond to data breach and inform Supervisor Authority within 72 hours.
  • Build ISMS security program to protect personal data in accordance with ISO 27001 standard and perform regular vulnerability scans on Production environment.
  • Establish a backup, retention and Disaster recovery policy to protect customer data.
  • Establishing annual audit processes and protocols to ensure our commitment to protecting personal data on an ongoing basis.

What should you do to be GDPR-ready?

If you are just getting started with GDPR compliance in your organization, here's a quick to-do list to help you prepare for May 25th.

  • Create a data privacy team to oversee GDPR activities and raise awareness
  • Review current security and privacy processes in place & where applicable, revise your contracts with third parties & customers to meet the requirements of the GDPR
  • Identify the Personally Identifiable Information (PII)/Personal data that is being collected
  • Analyze how this information is being processed, stored, retained and deleted
  • Assess the third parties with whom you disclose data
  • Establish procedures to respond to data subjects when they exercise their rights
  • Establish & conduct Privacy Impact Assessment (PIA)
  • Create processes for data breach notification activities
  • Continuous employee awareness is vital to ensure continual compliance to the GDPR
  • Build a simple and transparent privacy policy which is easy to understand by data subject and clearly define how their data is collected and processed.