Akita will be meet or exceed the requirements specified in the EU’s General Data Protection Regulation (“GDPR”) by the May 25th deadline. This document outlines some of the steps we have taken to make certain that we comply with the new laws.
3rd-Party Sub Processors
We use services provided by 3rd-party vendors to help provide the Akita service and effectively run the Akita business. By the May 25th deadline, we will have entered into GDPR-compliant Data Processing Agreements with each of our vendors. You can find a list of these vendors here
Security Breach Response
In the event of a data breach, we will notify our customers in a timely manner as required by GDPR and outlined in our Data Processing Agreement.
Data Processing Agreement
We have incorporated a GDPR-compliant Data Processing Agreement into our overall Terms and Conditions. To continue using Akita, you must accept both the DPA and Terms and Conditions. Unfortunately we cannot sign Customer-provided DPAs as doing so would require prohibitively expensive outside legal assistance for each contract.
Data Protection Officer
Akita has appointed David Smith as its Data Protection Officer. He is registered with the Irish Data Protection Commission and is responsible for overseeing customer data security, privacy and GDPR compliance at Akita.
Data Protection Impact Assessments
For each new feature we implement we will determine if the new feature poses a risk to user privacy and the security of personal data. If the level of risk requires it, we will conduct a Data Protection Impact Assessment that describes the flow of sensitive data throught the application, identifies areas of risk, and outlines solutions to mitigate that risk. This DPIA will be signed off by Akita management and implemented as part of the project plan.
Easy to Understand Terms and Conditions and Privacy Policies
Right to Data Access, Portability and Deletion
Akita processes and stores all personal data in GDPR compliant manner using only GDPR-compliant Sub Processors. We store your data for 2 years unless your account is cancelled. In the event your account is cancelled we will delete your data in accordance with our Terms and Conditions.
GDPR requires you provide your users with the ability to access, update, retrieve and remove personal data. Upon request Akita will work with your team to delete or export any data you require. If you have integrated with a 3rd-party application, Akita may re-import that data. You may need to delete or update data in the connected application prior to deleting it from Akita.
Akita has had regular, internal discussions concerning data privacy and GDPR compliance. Our product, sales, and marketing teams have researched and will continue to study ways to make sure Customer data is only used in compliance with GDPR.
|Data Protection Officer (DPO)
|Registered with Office of the Data Protection Commissioner.
Nominated David Smith as Data Protection Officer.
Paid Applicable Fees.
|Training across all personnel (development and roll out)
|Articles 7-8 & 12-15
|Completed training for all impacted personnel.
|Data breach procedures
|Articles 33 & 34
|Data breach response incorporated into DPA.
|Data processing records
|Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically.
|Audit and Analysis of privacy framework
|Audit all existing client & third-party contracts to ensure compliance with GDPR.
Make necessary amendments.
Review & update insurance coverages.
Review & control.
|Ensure appropriate technical & organizational measures
|Guarantees by processor to implement appropriate technical & organizational measures to ensure the protection of the rights of the data subjects.
Update data protection agreements and appendices.
|Data transfers and export controls
|Articles 7-8 & 12-15
|Identify cross-border data flows and review mechanisms in place.
Ensure adequate level of protection with contractual clauses.
|Reevaluate notice, consent and withdrawal mechanisms
|Evaluation of existing consent & procedures in place, and ease of withdrawal.
|Provide exports of user data upon request within time specified.
|Data protection by design and by default
|Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed.
Implement data protection principles, such as data minimisation.
|Security of processing
|Technical & organizational measures to ensure a level of security appropriate to the risks at stake.
|Carry out data protection impact assessment
|Created template for future DPIAs.
Last Updated: 13th May 2018