Lyyti meets or surpasses all demands set by the General Data Protection Regulation.
This article contains the following sections:
- In brief
- What obligations do I have as a Lyyti customer?
- How can I get started?
- How has Lyyti prepared for the GDPR?
- Reliability, expertise, and resources
- Data processing agreements
- Data processing and subcontractors
- Readiness for data protection requirements
- Retrieving and removing data
- Our support to you
- Data transmission internationally
Taking effect on 25 May 2018, the European Union's General Data Protection Regulation (GDPR) is one of the most important international legislative changes in data protection in decades. The purpose of the regulation is to increase the individual's rights to manage and process their personal data and to harmonise legislation within the European Union.
Lyyti is firmly committed to the new Data Protection Regulation and we have been studying it's content and impact for a while already. In addition to complying with the regulation ourselves, it is important for us to help our customers with their compliance efforts. This goal will be achieved through training, instruction, and technical development of our software.
What obligations do I have as a Lyyti customer?
Lyyti's clients generally act as controllers for the registers and data they are processing in Lyyti. The aim of the controller (client) is to define the purpose of the register, and the processor (Lyyti) is responsible for helping the client in the processing of information in intended manner. Simply put, this means that the customer uses Lyyti for their intended purpose and Lyyti assists the customer in implementing this purpose.
The controller (customer) is responsible for ensuring that data is processed technically and administratively in accordance with the requirements of the regulation. The regulation includes significant changes to how and when registers can be maintained. In addition, the controller must ensure that their own activities are transparent towards the data subject, the data is valid, and correct restrictions are applied to the use of personal data. It is particularly important to remove unnecessary information and to safeguard the data subject’s legislative rights. According to the regulation, the data subject has the right to ask for their registered data, to update it and, in certain circumstances, to demand it's deleted.
If you are a controller, we encourage you to review the content of the regulation. The European Data Protection Supervisor provides vast resources and up-to-date information on their website.
We also encourage you to analyse your situation with the assistance of a lawyer, as the services or training they provide may give you instructions directed specifically at your organisation.
How can I get started?
2) Check what registers you maintain, and ensure that they are consistent with the requirements of the regulation.
4) Explore how your current software, services, policies, and processes are compatible with the regulation. Make the data processing agreements (DPA) with all the processors of your registry. Click here to view/download a DPA example that you can use as a template for yours.
How has Lyyti prepared for the GDPR?
Reliability, expertise, and resources
We have been working for more than a year to understand the requirements of the regulation and how to apply them to the service we provide. As part of this work, we have trained our staff as data protection experts and specialists. Lyyti's data protection mechanisms have been entrusted to the management of the entire company, as well as to a DPO who is responsible for operations as part of the management team.
A data protection team has been set up to implement the changes required by the regulation. Their task is to implement the data protection processes and changes and make them part of the company's overall functions and services.
Data processing agreements
We fully understand our important role as a processor of valuable and confidential personal data and are serious about the responsibility that our customers give us. Over past months, we have built a processing agreement with our customers in accordance with the Data Protection Regulation, which identifies the customer's processing instructions for the registry. These guidelines are the foundation for all our processing operations.
The processing contract is accessible here. We require all our customers to sign this agreement so that we can ensure safe and lawful processing of personal data even after 25 May. We will process personal information you provide to Lyyti only and solely in accordance with the regulation.
The Lyyti employees undertake to participate in annual data protection and processing training to ensure that your data is reliably managed. All our employees are also subject to duty of confidentiality with respect to our customers' data.
Data processing and subcontractors
Lyyti's objective is to provide the safest and highest quality service to our customers. Like many other SaaS services, we also use subcontractors and partners to provide our service. This means that our subcontractors also take part in the processing of personal data on a case-by-case basis. All our subcontractors go through a strict audit process, which ensures that they share our own tight security and privacy requirements.
As part of a data processing agreement, our customers must accept our subcontractors' use of personal data. We maintain an up-to-date list of subcontractors at this address.
A key part of the new data security regulation is the security and confidentiality of personal information. We ensure the security of our customers' data by adhering to the best practices and standards in the industry, and by constantly developing our readiness to bring new practices to life. Our service has been created on a solid virtual platform physically located in Helsinki, Finland. Our server architecture is KATAKRI and VAHTI audited, which means that they are also compatible with the security of the state administration and the defence forces. In our own activities, we have also adopted KATAKRI auditing criteria as a basis for our own security model. These models have been considered in Lyyti’s overall security policy, as well as in a security programme that defines practical measures for matters related to technology, physical space, and personnel.
The server architecture is built on a fault-tolerant N + 1 principle, meaning that we can offer the service even if individual devices or services fail. We maintain a variety of backups for specified services, so that we can ensure data recovery and integrity, should a situation arise.
The security of our services is assured by periodic technical and organisational audits carried out by Lyyti. We also have annual audits undertaken by third parties.
Readiness for data protection requirements
Our entire R&D team has been working hard this year to bring the best possible tools to our customers. These tools help, above all, to facilitate the transparency of the registry and to meet the other obligations of the regulation. These new features include:
1) Automatically adding the registration information to all enrolment pages and emails
2) Giving consent according to the data subject's rights and the intended purpose during enrolment
3) Monitoring and supervision of the consents given by the data subject
4) Searching, editing and deleting a data subject's items, based on an information request
Retrieving and removing data
Lyyti provides excellent tools for retrieving and removing individual data subject's items. However, if your customer relationship with us will nevertheless end, or if you want to retrieve or remove any personal information, we will provide you with the right tools for this.
Retrieving event, data subject, and other personal information is easy through our REST interface. You can find it conveniently at https://lyyti.readme.io. In addition, on request, we can ensure that your personal data is removed on our own and on our subcontractors' data bases upon termination of your customer relationship. We will permanently remove your information within the stated deadline unless we have a legitimate reason in public interest to maintain the data.
Our support to you
Lyyti's data protection team provides assistance in questions to do with the data protection regulation. In addition, our customer relations manager and customer service personnel provide user support and help with Lyyti's data protection features.
Data transmission internationally
Lyyti will never transfer personal information covered by our processing agreements and keyed in by our customers to the service outside the European Union or the European Economic Area. We also ensure that our subcontractors are committed to complying with this practice.
Lyyti reserves the right to process information covered by its own registers in countries outside the European Union or the European Economic Area, provided that adequate security and data protection of these services is appropriately undertaken. We also try to minimise the amount of data that is being processed outside the EU, but because of the open nature of the Internet, we cannot completely restrict the processing.