What is GDPR?
GDPR stands for General Data Protection Regulation; it has been an EU regulation since 25th May 2018 and has implications that reach far beyond EU borders because it affects not only EU organizations, but also organizations from other countries that collect or process data from EU residents.
GDPR also addresses the transfer of personal data from the EU to third-party countries, like the United States. The provisions on cross-border data sharing did not radically change from the regulations previously in place under data protection directives. GDPR does not contain any specific requirement to enforce that personal data of EU residents should reside in an EU member state. However, it includes conditions that must be met before this transfer can occur, including adequacy of data protection measures.
GDPR has six fundamental principles related to Personal Data:
- It should be processed lawfully, fairly, and transparently.
- It should be collected for specified, explicit, and legitimate business purposes.
- It should be adequate, relevant, and limited to what is necessary.
- It should be accurate and, where necessary, kept up to date.
- It should be retained only for as long as necessary.
- It should be processed appropriately to maintain security.
GDPR Key Definitions
These are the essential definitions that GDPR introduced for various aspects of data protection.
- Controller: Person or organization that decides the purpose and means of processing personal data.
- Processor: Person or organization which processes personal data on behalf of the controller.
- Consent: The agreement to process data from the data subject. It must be freely given, specific, informed, and an unambiguous indication of the data subject by a statement or by explicit affirmative action.
- Personal Data: Any information relating to an identified, or more importantly identifiable, natural person. Thus, any data that can be used to determine the identity of a person can be considered personal data, e.g., IP addresses and online identifiers.
- Processing: Any operations, whether automated or not, performed on personal data sets.
What is HCL’s role in your organization's PowerPack-related GDPR compliance?
When you use our PowerPack add-ons, HCL acts as a data Processor for you and is thus required to meet all the requirements imposed on data processors under the regulation. Your organization is considered the data Controller under the law, and it is your organization’s responsibility to handle compliance with GDPR.
HCL is also considered a data Controller for our customers’ data, and we will ensure our own data processing complies with the requirements to give you the best possible experience.
What are HCL’s PowerPack-related responsibilities under GDPR?
As a data Processor, our primary responsibilities are to ensure that we have in place policies and practices that conform to the GDPR requirements and that our PowerPack add-ons are compliant with GDPR. This includes security measures, which we already have in place, as well as procedures and documentation to demonstrate compliance with GDPR, and thus support your organization’s compliance.
Our responsibility is to process data as agreed, and take adequate security measures to protect your data.
What PowerPack Add-ons are affected by GDPR?
Our PowerPack add-ons are solutions that deliver value by extending the Dynamics 365 platform. Many of them operate directly within the platform and thus do not require any of your customer data to be processed by HCL. However, certain add-ons need back-end integration and synchronization to fulfill their function. This information can be quickly found by navigating to the configuration page for each PowerPack add-on imported in your CRM.
PowerPacks that rely on PowerObjects’ Cloud Services:
- PowerChat: Relies on our cloud to set up chat communications with client’s endpoints.
- PowerEmail: Uses our cloud to track email delivery and opens.
- PowerMailChimp: Synchronizes data between Dynamics 365 and MailChimp using our cloud.
- PowerShare: Uses our cloud to track visits to digital assets shared with the tool.
- PowerSMS: Synchronizes data between Dynamics 365 and the SMS provider using our cloud.
- PowerSurveyPlus: Uses our cloud to capture survey responses to record into Dynamics 365.
- PowerWebForm: Uses our cloud to capture form submissions to record into Dynamics 365.
- PowerWebTraffic: Uses our cloud to track visits to websites configured by you.
- PowerZapEvent: Synchronizes data between Dynamics 365 and ZapEvent using our cloud.
- PowerAttachment: Uses our cloud to extract attachments to store in your SharePoint.
- PowerAutoNumber: Uses our cloud to generate the next sequential number.
- PowerGeoLog: Uses our cloud to track Dynamics 365 user logins.
How does HCL handle PowerPack-related cross-border sharing and data jurisdictions?
The only cross-border data sharing HCL does is for the data sets needed to register a PowerPack. This information is recorded on our own US-based system. We do not perform any cross-border data transfer within a PowerPack. Whenever you install a PowerPack that does require back-end processing in our PowerPack Cloud, you can decide what region you want your data processing to occur. The current available locations are the United States, Brazil, Europe, and East Asia. We use Microsoft Azure services for our PowerPack Cloud systems and our Cloud regions correspond to the underlying Microsoft Azure regions.
Please note that some of our PowerPack add-ons provide integration with third-party services. You are responsible for the provision of these third-party services, and our add-ons will communicate with them as instructed by you on setup. This could potentially include cross-border data transfers, and you are responsible for ensuring that the third parties processing your data are also compliant with GDPR. For example, MailChimp has detailed guidance within their Knowledge Base on how they are accomplishing this in relation to the EU-US Privacy Shield agreement.
How does HCL process data in PowerPack add-ons?
Whenever we need back-end processing on our PowerPack Cloud to deliver PowerPack functionality, we use services in the Microsoft Azure platform. This platform offers us a high standard of security and gives added benefits to ensure that appropriate technical security measures are in place to provide the utmost protection for your customer’s data.
Our PowerPack Cloud processing is straightforward. We only synchronize or integrate data with the aim of recording it into your Microsoft Dynamics 365 instance. Therefore, we do not have any of your customer data recorded permanently in our cloud services. We only keep it for as long as required to complete the successful processing, and no longer than 30 days.
In general, we can describe our PowerPack data processing as follows:
- When you install a new PowerPack, we collect registration information including your contact details and your Dynamics 365 organization details – instance name and unique id, number of users, and URL; as well as some other details needed for each specific PowerPack, like credentials or API keys. This information is securely transmitted to our PowerPack Registration engine using industry standard TLS encryption. The data then is recorded in our US-based data center and encrypted at rest.
- If the PowerPack needs back-end processing or synchronization as described earlier, you can choose one of our PowerPack Cloud locations that better fit your data jurisdiction requirements. These locations correspond to the Microsoft Azure cloud locations as we use Microsoft Azure Cloud services to provide this infrastructure. We never send your data to different PowerPack cloud locations, so you have total control over where your data resides. Additionally, thanks to the strength of the Microsoft Cloud, we have an additional number of technical security measures to help us protect your data during this processing.
- If the functionality requires integration with third-party APIs – e.g., MailChimp or Twilio – you will provide this configuration during the setup of the solution to enable the PowerPack functionality. We then use that information to send the data as expected to these third-party services to implement the PowerPack. All data transmission between systems is encrypted and follows industry security standards.
- Your customer data is only retained in our cloud for up to thirty days while we ensure that it has been successfully stored in your Dynamics 365 instance. After that, we remove the information from our systems. Our PowerPack Cloud does not keep any permanent record for of your customer data.
What is PowerObjects doing to ensure compliance with GDPR?
We are working hard to get everything ready for GDPR compliance, some of the activities you will see happening before May 2018.
- Security: We take security very seriously, we already perform weekly and monthly security scans. We also conduct regular external audits and penetration testing to all our infrastructure.
- Communication: We are reviewing our communication and notification procedures to ensure that they are in full compliance with the GDPR.
- Technical Implementation Details: We are creating some Technical Guides that give further details on how each affected PowerPack process your customer’s information. These guides will be available on demand to our customers.
Where can I find further information about GDPR?
The full text of the GDPR is available here. The European Commission has a helpful website dedicated to the Data Protection topic which covers GDPR and other related issues. We also recommend the Irish Data Protection Commissioner’s GDPR site, and the UK’s Information Commissioner’s Office 12 Steps Guide valuable resources to aid in understanding how to be compliant with GDPR.
As a PowerPack subscriber, you can always reach out to our PowerPack team if you have questions about PowerObjects’ compliance with GDPR or other issues related to data privacy.