The GDPR (General Data Protection Regulation - AVG or Algemene Verordening Gegevensbescherming in Dutch) has entered into force in May. A lot has been said and written about this - also by us - but for the sake of completeness we have summarized how we deal with GDPR and what this means for Plek customers and users.
Plek meets the requirements of the GDPR. We only collect users' personal data if they are necessary. This is called data minimization. An example of this is our link with Office 365. The information displayed on Plek is stored in Office 365. Plek requests the required information behind the scenes and displays it, but it does not store the data itself.
We collect and process data to ensure that Plek users can use their communication platform. This includes analyzing (anonymized) data to improve Plek. We do not use the information we collect for any other purposes.
Our hosting partner is ISO27001, NEN7510 and ISAE3402 certified and Plek itself complies with the requirements of ISO27001 and NEN7510. This demonstrates that our internal processes are in order and that we safely handle personal data.
GDPR guarantees individuals the right to a.o. data portability, erasure (to be forgotten) and access. Below we will outline how these rights apply to Plek users.
This is the right to receive and transmit personal data. Plek users can access the data Plek processes about them by navigating to their profile page. You can download this information by printing (to PDF, if desired) or by copy-pasting.
This is the right to be 'forgotten'. It means that, in certain cases, we have to erase personal data if the data subject asks for this. Because we have a processor's agreement with our customers, such a request has to be submitted to Plek by the respective organization (and not by the respective data subject themselves).
Plek users can edit the information on their profile page themselves. Some organizations require certain profile fields to be filled out. This information can be removed from Plek by deactivating your account. If the admin of your Plek deactivates your account, your profile will no longer be visible and can no longer be found by means of the search engine. You will also no longer be able to receive chat messages or @mentions. You will not be able to log in to Plek anymore, and your profile picture will no longer displayed with posts and other content you posted on Plek.
After 6 months we erase all data from deactivated accounts, except for names and email addresses. If you wish, the admin of your Plek can change your name into your initials, and they can change the email address Plek used to identify you as a unique user (if desired, this can be a fictional email address) in order to prevent your name from being traced.
On Plek, the right to erasure applies in the following situations:
This is the right to view your personal data. As we wrote with regard to the right to data portability, every Plek user can see which personal informatino we save about them. We have a processors agreement with your employer (or any other organization whose Plek you can access). This agreement lists:
We do this because colleagues and / or others you communicate with on Plek need this data to be able to work with you. We collect and use personal data for the purpose of internal communication, not for any other (marketing related) purpose.
We don't transfer personal data to other organizations, but we do use an extensively certified and secure hosting partner called True.
We keep your personal data at least as long as it's required for you to access your Plek environment. If your profile is deactivated, we will retain your data for another 6 months. Messages or other content you posted on Plek will remain available to other Plek users. The profile picture displayed with this content will be replaced by your initials.
These are the rights we describe in this blog.
Please refer to the Autoriteit Persoonsgegevens' website for more information.
This is usually your employer or any other organization you're involved in and whose Plek you can access.
Many people are writing about how to deal with customers in a GDPR compliant way, but little is published about GDPR's impact on internal communication. So we hereby provide you with some tips that you can use to get GDPR proof.
Draw up regulations that, among other things, describe in which cases the business interest exceeds an employee's right to privacy.
Teach empoyees about device- and data security, regardless of whether they use work- or private devices. An organization-wide awareness of the risks is a good first step in preventing incidents.
Which authorized and unauthorized devices have access to personal data? If you don't know who has access, you cannot prevent incidents and you subsequently cannot take appropriate measures.
Provide computers and phones owned by your organization with an up-to-date operating system, virus scanner, firewall, and a mandatory VPN connection to access the corporate network. Also install software on these devices that requires employees to regularly change their passwords. If employees use private devices, you can impose these types of requirements as long as they are reasonable.
Make sure the contents of business devices are erased in case of loss or theft. But beware: for BYOD devices this means that private data is also erased. Remote erasure should only be allowed with permission of the employee. Make solid agreements in advance so that you don't have to start discussing the issue after the incident has already happened: you have to be ready for remote erasure at any time.
P.S. GDPR and product tours? Have a look at our free tours!