MindFire and GDPR
Disclaimer: While this post’s content is designed to help you understand the GDPR in connection with MindFire’s services, the information may not be construed as legal advice and you should consult with your own legal counsel regarding your unique obligations under the GDPR, and the use of any company’s products and services (including MindFire) to process personal data.
The EU General Data Protection Regulation (“GDPR”) is a new data protection law that came into effect on May 25, 2018. It replaces existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It is a single set of rules which govern the processing and monitoring of EU data. At MindFire, we are working hard to ensure that we fulfill its obligations and maintain our transparency about customer data.
NOTE: As with other data and consumer protection laws, GDPR requires commitment from us (MindFire) and you (our Customers). In some ways, the responsibility is shared, but ultimately, you are responsible for your unique situation and compliance with GDPR. We remain committed to helping you meet these requirements (there are a number of tasks that are in progress on our end) and will provide assistance throughout the entire process.
I am a MindFire Client. Does it affect me?
Yes, most likely. If you hold or process the data of any person in the EU, the GDPR applies to you, whether you are in the EU or not. In most cases, our clients are considered Controllers in the eyes of GDPR, and MindFire is considered a Processor.
Controllers and Processors
There are two key roles defined in the GDPR: Controller and Processor.
The Controller is the business — you — who are ultimately in charge of deciding how data are collected and used. As a customer of MindFire, you operate as the Controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed in a lawful manner pursuant to the GDPR and that you are using processors, such as MindFire, that are committed to handling the data in a compliant manner.
MindFire is considered a Processor. We act on the instructions of the Controller (you), which come to us via our applications like Studio, or via our platform APIs. Like Controllers, Processors have an obligation to explain what they do with personal data. However, as a Processor, we rely on you, the Controller of the data and our customer, to ensure that there is a lawful basis for processing.
Processors may, in the performance of their service, use other third-parties in the processing of personal data. These entities are known as sub-processors. MindFire uses several cloud infrastructure providers like Amazon Web Services, Rackspace — all of which are considered sub-processors — as well as other services like SocketLabs.
How has MindFire prepared for GDPR?
Our teams have been working to define our GDPR roadmap, which we intend to publish soon on this page.
Because GDPR requires a massive overhaul of processes and data models, we intend to keep you apprised of everything we are doing to make sure we are meeting our legal obligations, and doing the best thing for our customers and yours.
Here are the main things we have been doing (or will do) to ensure we are setting up ourselves and our customers up to meet GDPR obligations:
MindFire has defined a DPO (Data Protection Officer)
We have defined a Data Protection Officer, see below.
We Have Built and Continue to Build New Features & Infrastructure
Our teams are building (or in some cases, have already deployed) the necessary features and infrastructure that will enable our customers to meet their GDPR obligations.
MindFire will help you meet your data portability requirements for GDPR, meaning you will be able to export all of your data or granular subsets linked to an individual Contact, and permanently delete all data related to a single user.
We will publish our Data Processing Agreements (DPAs) and Legal Agreements
Robust data protection commitments are a vital part of GDPR’s requirements. Our new data processing agreement will share our privacy commitments and sets out the terms for MindFire and our customers to meet GDPR requirements.
We have coordinated with our vendors
We have reviewed all of our vendors, finding out about their GDPR plans and arranging similar GDPR-ready data processing agreements with them.
We are taking new security measures
Security is a priority for us. We will keep sharing information on our progress, and we will also help our customers (and, in the case of those of you who are providing services to your Clients via MindFire) be compliant. Some steps you can take are:
- Get familiar with the GDPR requirements and how they affect your company.
- Map out everywhere you process data and carry out a gap analysis (including your interactions with MindFire)
- Look at all the software and tools you use to manage data, and think about privacy, security, and GDPR requirements from top-to-bottom.
- Speak with your lawyer about your specific needs to ensure you’re aware and compliant.
What can we do to help you?
To help you meet your obligation to GDPR, we will be updating this page to include instructions and code-snippets you can use. Stay tuned.
Data Protection Officer:
- Ali Malekshaki
Subprocessors for GDPR
AWS, SocketLabs, Azure, Twilio, Zapier, Google, Rackspace, CellTrust, Mail Gun
Recommended GDPR Resources
Here are some recommended resources to assist in your research
- EU GDPR Information Portal: https://www.eugdpr.org/
- GDPR Glossary: https://www.eugdpr.org/glossary-of-terms.html
- Complete GDPR Legislation: https://gdpr-info.eu/
- Socketlabs GDPR Policies: https://www.socketlabs.com/legal/gdpr/
Feel free to reach out to us in the comments, or via firstname.lastname@example.org.
Latest posts by David Rosendahl (see all)
- RARE 1997 VIDEO THAT EXPLAINS THE MARKETING GENIUS OF STEVE JOBS – September 7, 2018
- The Secrets of Printers Who Profitably Sell Marketing Services – July 15, 2018
- MindFire and GDPR – May 9, 2018