GDPR Resource Centre

Sustaining SafetyCulture's tradition of data security

Set to take effect on 25 May 2018, the General Data Protection Regulation (GDPR) overhauls and harmonises the approach to data protection and privacy for all individuals within the European Union (EU). SafetyCulture treats the protection of customer data as one of its highest priorities and we have our GDPR compliance program in place.

Below we’ve shared some information on what GDPR is, how it will affect you and how SafetyCulture has prepared.

The GDPR is the result of four years of work by the EU to bring data protection legislation in line with the ways that data is now used. It expands the rights of individuals to control how their personal information is collected and processed. GDPR places a range of new obligations on organisations to be more accountable for data protection.

Check out the ICO’s GDPR guide, designed to assist organisations comply with their requirements:

Guide to the GDPR

GDPR applies to every company in the world that processes personal data about people in the EU. As a SafetyCulture customer, the data pertaining to your registered users, as well as any personal data that you collect while conducting inspections or reporting incidents, is likely to be subject to GDPR.

Given that iAuditor's core template building functionality allows you to build your own templates and Spotlight's incident reporting capabilities are determined by your preferences, we do not have control of the content that you collect nor whether it is personal in nature. Accordingly, you are responsible as the Data Controller for ensuring the data you collect while doing inspections or reporting incidents is compliant with the GDPR principles.

We take our responsibilities under GDPR seriously and have embarked on a programme to identify which measures we need to implement to be compliant with GDPR. We will have these implemented prior to 25 May 2018. Here is a quick summary of what we’ve done to date:

  • We have engaged a law firm, RPC, to advise on GDPR implications for SafetyCulture. Following this assessment, we created an internal roadmap to work towards compliance with GDPR by 25 May 2018.
  • We have updated our Terms of Use to be GDPR compliant.
  • We have developed a GDPR-compliant data retention policy.
  • We have updated our data breach procedures to bring them in line with GDPR.
  • We have invested in a new data hosting environment that is located within the EU (still with Amazon Web Services), so our customers can choose to have their data hosted within the EU - even though this is not strictly a requirement of GDPR.
  • We have started our internal education program to deliver GDPR-focused training across key areas of the business, so that our staff are aware of what GDPR requires and how it impacts their day-to-day roles
  • We have engaged with our product and security teams to consider and make necessary changes / improvements to our product and practices.
  • We have conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services.
  • We are reviewing our key third-party vendor arrangements (ie Sub-Processors) to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements
  • We have refined procedures to deal with some key data subject rights, like subject access requests and the right to request deletion

Some of the key items we are still working on include:

  • Developing and implementing company-wide data protection training.
  • Introduce further privacy safeguards into system and product development, including the creation and implementation of data protection impact assessments.
What is the GDPR? -

The GDPR is the result of four years of work by the EU to bring data protection legislation in line with the ways that data is now used. It expands the rights of individuals to control how their personal information is collected and processed. GDPR places a range of new obligations on organisations to be more accountable for data protection.

Guide to the GDPR
Does the GDPR impact you? +

GDPR applies to every company in the world that processes personal data about people in the EU. As a SafetyCulture customer, the data pertaining to your registered users, as well as any personal data that you collect while conducting inspections or reporting incidents, is likely to be subject to GDPR.

Given that iAuditor's core template building functionality allows you to build your own templates and Spotlight's incident reporting capabilities are determined by your preferences, we do not have control of the content that you collect nor whether it is personal in nature. Accordingly, you are responsible as the Data Controller for ensuring the data you collect while doing inspections or reporting incidents is compliant with the GDPR principles.

What is SafetyCulture doing? +

We take our responsibilities under GDPR seriously and have embarked on a programme to identify which measures we need to implement to be compliant with GDPR. We expect all systems to be implemented and GDPR compliant by May 2018. Here is a quick summary of what we’ve done to date:

  • We have engaged a law firm, RPC, to advise on GDPR implications for SafetyCulture. Following this assessment, we created an internal roadmap to work towards compliance with GDPR by the end of May 2018.
  • We have updated our Terms of Use to be GDPR compliant.
  • We have developed a GDPR-compliant data retention policy.
  • We have updated our data breach procedures to bring them in line with GDPR.
  • We have started our internal education program to deliver GDPR-focused training across key areas of the business, so that our staff are aware of what GDPR requires and how it impacts their day-to-day roles
  • We’re engaging with our product and security teams to consider and make necessary changes / improvements to our product and practices.
  • We conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services.
  • We're reviewing our key third-party vendor arrangements (ie Sub-Processors) to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements
  • We’re refining procedures to deal with some key data subject rights, like subject access requests and the right to request deletion
What's next? +

Some of the key items we will be working on over the coming months are:

  • Developing and implementing company-wide data protection training.
  • Finalising our data maps and data-processing records.
  • Introduce further privacy safeguards into system and product development, including the creation and implementation of data protection impact assessments.

FAQs

Who is the Data Processor and who is the Data Controller? -

Under GDPR, our customers are considered the Data Controller and SafetyCulture is considered the Data Processor. GDPR specifies requirements for Controllers in relation to the personal data they are responsible for, including the requirement that when they use Data Processors these Processors provide sufficient guarantees that they will abide by GDPR and that the rights of the data subjects are protected.

Where does SafetyCulture store customer data? +

We host our customer, audit and incident data with Amazon Web Services (AWS), who are a top-tier, third party data hosting provider. We utilise AWS in different locations around the world, depending on the product.

For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center.

iAuditor
We utilise three AWS locations in relation to iAuditor data - the US, the EU (Ireland) and Australia. By default, customers will have their data stored on AWS servers located in the US.

Whilst not required by GDPR, iAuditor Premium Annual or Enterprise Annual subscriptions with more than 20 seats have the option to store their data in Australia or the EU (costs to be quoted separately). Should you wish to speak to us about migrating your data from the US to Australia or the EU, please contact your Account Manager or [email protected].

Spotlight
Currently, all Spotlight data is stored in the US. We may add other data storage locations in the future.

Can customers choose to store their data in the EU? +

If you are on an Annual Premium subscription with more than 20 seats, you will have the option to have your data stored within the EU. While not strictly a requirement of GDPR, we have listened to our European customers and understand there is appetite to store data in the EU.

Accordingly we have invested in a data hosting environment with AWS in Dublin. Should you wish to speak to us about migrating your data from the US to the EU, please contact your Account Manager or [email protected]

How does SafetyCulture comply with EU data export restrictions? +

In some instances, SafetyCulture hosts or processes personal data outside of the European Economic Area - this is most likely with your user details rather than any audit or incident data. GDPR requires that this data remains protected by appropriate safeguards in line with EU law. SafetyCulture achieves this by either entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).

Does SafetyCulture provide fair processing notices? +

Controllers of data must provide fair processing notices to data subjects, which set out minimum information about how their data is processed. With regards to SafetyCulture processing the details of your end users, SafetyCulture has updated its Privacy Policy to provide such a fair processing notice - see here.

In relation to providing fair processing notices to data subjects that you may collect data on when conducting inspections or reporting incidents, SafetyCulture cannot feasibly provide fair processing notices on your behalf, as we cannot distinguish personal data from any other inspection data. The obligation in this circumstance remain with you as Data Controller.

How does SafetyCulture comply with the Data Minimisation principle? +

Under GDPR, any data collected must be relevant and limited to what is necessary for the purpose for which it is being processed. If you plan to collect any personal data when conducting inspections or reporting incidents, then we suggest that you only collect necessary information. To help you identify and minimise the data protection risks, the ICO has provided guidance on Data Protection Impact Assessments (DPIA):
DPIA Guide

How should I handle Subject Access Requests? +

Data subjects may lodge requests with you as Data Controller, to extract all data relating to the data subject. Should you receive such a request and require our assistance in dealing with it, please send a detailed email to [email protected] and we will endeavour to action the request within 30 days.

How does SafetyCulture respond to a data breach? +

In the unlikely event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, SafetyCulture has an established Data Breach Response Plan. To obtain a copy of this policy please contact your Account Manager or [email protected].

Who at SafetyCulture is primarily responsible for personal data matters? +

While SafetyCulture is not required to have a Data Protection Officer under GDPR, we have a Chief Privacy Officer (CPO) who can be contacted via [email protected]