AUTOTASK PRIVACY AND SECURITY UPDATE

Autotask Privacy and Security Update (October 2017)
Collection and Processing of Personal Information under the European GDPR

Since our July 2017 update on compliance with the European General Data Protection Regulation (GDPR), many customers have contacted us for more information on how the GDPR may affect their continuing use of Autotask products. While we will continue to respond to these inquiries as they are received, we are providing this general update to assist all our customers as they move toward compliance.

Worldwide Product Compliance

Many of our customers operate in multiple jurisdictions around the world. To ensure a consistent user experience, Autotask intends to apply GDPR requirements to our products worldwide. We believe that use of uniform rules and program logic will greatly enhance our customers’ ability to comply with the GDPR’s requirements.

Cross-Border Data Transfers and Data Storage

The GDPR imposes specific requirements and limitations on data transfers from the EU to countries outside the EU. Autotask currently offers a Data Processing Addendum containing standard contractual clauses allowing such transfers. We anticipate continuing to facilitate data transfers via standard contractual clauses after the implementation of the GDPR and are evaluating other legal bases for data transfer to ensure that our business partners and customers can continue to seamlessly use Autotask products after May 2018.

Autotask also understands its EU-based customers are concerned regarding the potential impact of Brexit on data stored in our UK data center. We have no reason to believe that we will not be able to continue to process data for our EU-based customers in the UK post-Brexit. We are, however, preparing contingency plans to ensure that we can continue to provide uninterrupted service should Brexit have unexpected impacts on EU-UK data transfers.

PII Collected Regarding Users of Autotask Products

By design and default, Autotask’s products collect only limited amounts of personally identifiable information (PII). The types of PII collected are those that Autotask has determined are necessary for our products to function and to provide the services our customers have requested. Examples of the types of PII collected by our products include user name, email address, and log data (such as log on times, IP address, and files accessed). Autotask is reviewing its data collection practices to determine whether any changes are necessary or appropriate prior to the GDPR’s effective date.

PII Collected by Autotask Business Partners and Customers

Many of our customers use Autotask products to collect, process, and store PII. In these situations, Autotask functions as the data "processor." Decisions on what data to collect, how long it is stored and how it is used reside with customers who act as the data "controller."

As the GDPR implementation date approaches, we are reviewing our systems and processes to ensure that we will be able to fully comply with our obligations as a processor, including providing required assistance to our customers in fulfilling their obligations as controllers.

We are actively working to develop enhanced product features that we expect will help streamline our customers’ compliance efforts. We expect to implement those features well before the GDPR goes into effect next year. In particular, to the extent not already incorporated into our products, we plan to deliver product enhancements to address specific heightened GDPR requirements relating to notice, consent, access, correction, erasure (the "right to be forgotten"), and portability.

Because the specific product features used by our customers and the data they collect varies greatly (including use of custom data fields and unique application integrations), we encourage customers who have specific questions or requests relating to GDPR compliance to contact us at privacy@autotask.com.

Autotask Privacy and Security Update (July 2017)

Autotask works hard to protect the privacy and security of its customers’ data. In addition to the many steps we take to protect customer data described in Autotask’s general corporate Privacy Policy (www.autotask.com/privacy-policy), Autotask proactively monitors legal and other developments that may be of importance to Autotask customers.

In May 2018, a new European privacy law, the General Data Protection Regulation (“GDPR”), goes into effect. The GDPR fundamentally changes European privacy law and requires all companies that handle “personal data” of individuals in the EU to adopt more stringent privacy and security practices. (For our customers in the UK, to date, all indications are that the UK will adopt national laws that substantially mirror the GDPR even after Brexit.)

Consistent with our corporate focus on customer privacy and security, Autotask is making a substantial investment of time and resources to ensure its products and services are fully GDPR compliant by May 2018. These investments include a comprehensive company-wide review of all Autotask business relationships, products, services and data handling practices. Autotask’s compliance effort is being led by its global Privacy Team, whose members include senior executives and product specialists from key functional areas and geographic regions and who have deep knowledge of and experience with Autotask’s products and data handling practices. Key tasks being managed by the Privacy Team include but are not limited to:

  • Creation of data inventories and data flow maps for Autotask products;
  • Review and update of Autotask contracts and licenses;
  • Review and update of Autotask’s corporate and product-level privacy policies;
  • Review and update of Autotask products and services (particularly to accommodate updated data subject rights, including notice, consent, transparency, portability, correction and erasure); and
  • Review and update of Autotask’s data processing addendum for data transfers outside the EU.

Over the next several months, we will be reaching out to our resellers and customers with updates on our GDPR compliance efforts and with important information on any changes to Autotask contracts, licenses, products, services and business practices that may affect sale and use of our products and services.

In the meantime, Autotask’s GDPR compliance efforts are only once piece of a much larger effort. The GDPR imposes significant obligations on all entities that process personal data, including Autotask resellers and customers who have their own privacy, security and data processing obligations.

Autotask recommends that all resellers and customers who use Autotask products and services to process “personal data” begin working with their legal and technical advisers to ensure that their data handling practices comply with the complicated requirements of the GDPR. Key issues that should be addressed include:

  • Does the GDPR apply to my organization? The GDPR applies to organizations that process personal data in the EU, as well as to organizations outside the EU that process personal data of natural persons located in the EU in certain specific situations.
  • Do my data handling practices respect the rights of data subjects? The GDPR places a high value on data subject rights, including but not limited to the rights to notice, consent, transparency, portability, and erasure.
  • Does my organization have data breach notification processes and procedures? Article 33 of the GDPR introduces new data breach notification requirements that include a requirement to notify data protection authorities of data breaches “without undue delay and, where feasible, within 72 hours of becoming aware of the breach.” Direct notification of data subjects also is required in some circumstances, as set forth in Article 34.
  • Does my organization need a data protection officer (“DPO”)? The GDPR requires organizations to appoint a DPO in certain circumstances set forth in GDPR Article 37.
  • Does my organization transfer data outside the EU? As in the case of the original 1995 Data Protection Directive, transfers of data outside the EU are governed by special rules restricting transfers to countries that lack adequate data protections unless certain requirements are met.
  • Does my organization maintain records of its compliance activities? Accountability is a critical element of the GDPR. Thus, maintaining clear and accurate records of your compliance activities is important to demonstrate compliance.

Answering these questions and the many others raised by the GDPR is critical to ensuring that your organization is GDPR-ready by May 2018.

Autotask cannot provide you with advice on how the GDPR affects your organization generally (those are issues you must raise with your legal and other advisers), but we are here to help with any questions on how the GDPR affects your use of Autotask products. If you have specific questions about Autotask’s GDPR compliance efforts and how those efforts may impact your use of Autotask’s products and services, please contact us at privacy@autotask.com.