Updated by Andrew
Right to access their personal data
What you need to do: Clients have the right to get access to the data your organization is collecting and processing. Before providing data, however, clients must verify themselves.
How 3DPrinteros handles it: Clients can see all their data 3DPrinterOS has in in Profiles settings page(public data and general data) and Profile settings page -> Personal Data management block -> Change promotion data button.
Right to be forgotten
What you need to do: Clients have the right to request that organizations forget all their personal data that was collected, unless the company is obliged to keep the information in accordance with the law. For example, telecom companies have the obligation to keep data about SMS messages - who sent it, to what number, and what was the SMS content, for 5 years, as required under the EU Terrorism Prevention Act.
How 3DPrinterOS handles it: 3DPrinterOS users can take out of processing all personal data collected about them in user’s profile settings page by clicking "delete my personal data stored in system" button and select which personal data he/she wants to delete. In order to delete general personal data(email and IP addresses, which are used for security reasons) and account user should write to support.
Right to object to the processing of their personal data
What you need to do: Consent is required to provide services to clients and for any other associated activities. While consent may be revoked for certain activities (such as newsletters) the service provider still has a right to process data if the client resumes use of the service, but only to the extent that is needed to provide the service. If the client requires all data handling to be stopped, they need to be informed that in order to continue providing the service, the processing is needed or no service will be given.
Right to export personal data
What you need to do: You must be able to verify the customer before providing data. When data is exported from your organization to another, it must be encrypted and moved through secure channels.
How 3DPrinterOS handles it: User can request all personal data 3DPrinterOS stores about him/her in Profile settings page->Personal Data management block-> Request my personal data stored in system button and automatic downloading of .csv file will start. (actual)
Protect personal data using appropriate security practices
What you need to do: Protect personal data using appropriate security practices. Make sure that all third-parties you are working with do the same and are compliant with GDPR.
How 3DPrinterOS handles it:
- put together Data Handling Policy
- checked Microsoft Azure GDPR compliance documentation
- mandatory 2FA for all 3DPrinterOS employees when accessing the data
- encryption / hashing - communication between 3DPrinterOS cloud services and the end user is encrypted, passwords that are stored are hashed with SHA256
- RSA 4096 bit keys and SSL certificate based access to the infrastructure
- strong promotion and recommendation for clients to use 2FA (3DPrinterOS logins require an additional verification code, which is generated by Google Authenticator app, to be entered when logging in to the 3DPrinterOS service)
- 3DPrinterOS has rate limiting in place on UI and API calls and dashboard logins to mitigate brute force attacks
- password complexity requirements are enforced on 3DPrinterOS
- we strive to only work with partners that are GDPR compliant and do our best to ensure that they adhere to the set regulations for data protection
Notify authorities within 72 hours of breaches
What you have to do: You must have appropriate monitoring tools in place to understand what is happening with your data and can notify the right people at the organization that a breach may have occurred. Firms have 72 hours between the time a breach occurs and authorities are notified.
How 3DPrinterOS handles it: We have built in detective and protective controls with alerting system, which provided a real time analysis of security alerts generated by applications and network hardware.
Receive consent before processing personal data
What you have to do: Be clear regarding the data collected, how and where it will be used, and the reasons for use while requesting consent. Consent defined under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes, or inactivity.
Keep records detailing data processing
What you need to do: GDPR does not mandate that it be documented. Keeping records could be done in your head or notes jotted down somewhere. Although if auditors come, you must be able to demonstrate or explain your organizations data processing procedures.
How 3DPrinterOS handles it: 3DPrinterOS has a Data Handling Policy. It clearly states how data is processed and secured by the firm. Also, we have internal register of consents where logged all consents that user gives or revokes.
Provide clear notice of data collection and outline processing purposes and use cases
Define data retention and deletion policies
Train privacy personnel & employees
What you need to do: Train your team on this topic. Elaborate on the current situation and what’s changing in May as well as how to behave in certain situations.
How 3DPrinterOS handles it: Our DPO attended several training on GDPR, consulted with several experts in the subject matter. Then we took one day out of the office with our entire team. We discussed compliance, with the compliance team providing an overview of the laws. The compliance team answered all questions, described the tools we use, impactful changes, and followed up with unanswered questions in the following weeks.
Audit and update data policies
Employ a data protection officer (for larger organizations)
Let’s clarify the DPO: A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. If you are a small company, then you do not need to hire someone to fill this role. The same job can be done by the CEO or someone with authority.
How 3DPrinterOS handles it: Our CTO, Anton Vedeshin, is also our DPO.
Create & manage vendor contracts
What you need to do: As your firm processes the data from the customers’ perspective, partner compliance is your responsibility. Understand if your partners are GDPR compliant, as it puts your firm at risk if they are not.
How 3DPrinterOS handles it: Our documents and contracts are created, improved on, and managed by our legal team.