GDPR Resource Centre

Sustaining SafetyCulture’s tradition of data security

SafetyCulture treats the protection of customer data as one of its highest priorities.

Below we’ve shared some information on what the General Data Protection Regulation (GDPR) is, how it affects you and what SafetyCulture is doing.

What is the GDPR?

The GDPR expands the rights of individuals to control how their personal information is collected and processed. GDPR places a range of obligations on organisations to be more accountable for data protection.

Check out the ICO’s GDPR guide, designed to assist organisations to comply with their requirements:

Guide to the GDPR

Does the GDPR impact you?

GDPR applies to companies that process personal data about people located in the EU. 

You control the materials and information that you and your users upload, or provide to us, when using our products and services. We do not have control of the content that you collect nor whether it is personal in nature. Accordingly, you are responsible as the Data Controller for ensuring the data you collect while doing inspections or reporting incidents is compliant with the GDPR principles.

What is SafetyCulture doing?

We take our responsibilities under GDPR seriously. Here is a quick summary of what we’ve done to date:

  • We have updated our Terms of Use to be GDPR compliant.
  • We have developed a GDPR-compliant data retention policy.
  • We have updated our data breach procedures to bring them in line with GDPR.
  • We have delivered GDPR-focused training across key areas of the business, so that our staff are aware of what GDPR requires and how it impacts their day-to-day roles.
  • We have engaged with our product and security teams to consider and make necessary changes / improvements to our product and practices.
  • We have conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services.
  • We have reviewed our key third-party vendor arrangements (ie Sub-Processors) to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements.
  • We refined our procedures to deal with some key data subject rights, like subject access requests and the right to request deletion.

What’s next?

Some of the key items we are still working on include:

  • Developing and implementing company-wide data protection training.
  • Introducing further privacy safeguards into system and product development, including the creation and implementation of data protection impact assessments.