The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to improve data protection for all individuals within the European Union (EU).
Glofox takes the safety of our customers’ data very seriously and will be fully compliant with GDPR when it comes into effect on May 25, 2018.
Over the past six months, we have completed a comprehensive review of our system and processes and undertaken a number of key initiatives to get ready for GDPR which include:
Review of how we store and process Personally Identifiable Information
We conducted a top to bottom review of how we store and process our customer data. Under GDPR, Glofox is both a data controller and a data processor and we are very cognizant of our duties and responsibilities in both these roles. Arising from this review, we formulated a list of tasks and key action items to undertake to ensure compliance with GDPR.
We are adding new features to the platform to give our customers the tools to help them comply with their own GDPR obligations. For example from early May, all members and clients in our customers’ gyms and studios will be able to monitor and control their own data permissions when it comes to marketing communications sent through the Glofox platform. These permissions can also be controlled manually on the Member profile from the Glofox Platform.
Privacy by Design
We have also fully committed to the “Privacy by Design” requirment and will ensure that any action we undertake that involves processing personal data will be done with data protection and privacy in mind at every step.
Up to now, all of the data that we process on behalf of our customers has been stored and processed in the EU. For our EU customers this will remain in place. For the rest of the world, this data will now be stored on local servers in the various regions.
Appointment of a Data Protection Officer
Glofox will be appointing a Data Protection Officer (DPO) to ensure that our policies and practices remain in compliance with GDPR going forward and to ensure that we embrace a policy of data protection by design and by default.
Update to our Terms of Service & Privacy Statement
We have updated our Terms of Service and Privacy Statement to reflect our obligations under GDPR and to ensure that our customers and their members clearly understand how we control and process data on their behalf.
Update to Policies & Procedures
We have also reviewed and updated all of our other policies to ensure that we have the requisite procedures in place in the case of any data request or incident including data breach, data subject access request etc.
Comprehensive training and internal knowledge
We have conducted training with all of our staff at the company level in terms of our obligations as a organisation under GDPR and their obligations in their respective roles. Each department in Glofox has also undergone its own training in terms of how GDPR applies to that business function.
Contact with Third Party Service Providers
The GDPR team at Glofox has contacted all third parties providers who process data on our behalf to ensure that they are compliant in GDPR. Where these organisations are based in the US, we have ensured that they have Privacy Shield certification which complies with standards for transferring data out of the EU.