What is GDPR?
GDPR is an EU-wide privacy and data protection law that regulates
how EU residents' data is protected by companies and enhances
the control the EU residents have, over their personal
The GDPR is relevant to any globally operating company and not
just the EU-based businesses and EU residents. Our customers’
data is important irrespective of where they are located, which
is why we have implemented GDPR controls as our baseline
standard for all our operations worldwide. GDPR has taken effect
from 25th May 2018.
What is personal data?
Any data that relates to an identifiable or identified
individual. GDPR covers a broad spectrum of information that
could be used on its own, or in combination with other pieces of
information, to identify a person. Personal data extends beyond
a person’s name or email address. Some examples include
financial information, political opinions, genetic data,
biometric data, IP addresses, physical address, sexual
orientation, and ethnicity.
How prepared is Zoho for GDPR?
We have acted on many fronts to adhere to this new regulation.
- We have raised awareness across the
organization through frequent discussions in our internal
channels, and trained employees to handle data
appropriately. They now understand the importance of
information security and the high standards set by GDPR.
- We have assessed all Zoho products,
individually, against the requirements of the GDPR and have
implemented new features that will give you more control
over your data and ease your burden of achieving GDPR
Take a look at what some our products have done to be
- We have constituted an Information Asset
Register(IAR), which includes information on all the roles
Zoho assumes, such as a data controller and processor. It
details on various categories of personal data processed by
our organization and which department is getting access to
which data and for what purpose. It has a comprehensive
coverage of all our processes and procedures.
- We have assessed our sub-processors
(third party service providers, partners) and streamlined
the contract process with them to ensure that they have
addressed the pressing needs of the current security and
- We have appointed internal privacy
champions for all our teams. We have also appointed a Data
Protection Officer (DPO).
- Our application teams have embraced the
concept of privacy by design and have provided you more
control over the data you store in our systems. These
provisions may vary based on a product’s characteristics and
domain. We constantly endeavour to provide you with more
enhancements, which shall be rolled out in phases.
- We have amended our Data Processing
Addendum (based on Model Contractual Clauses) to be
compliant with the data processing requirements of GDPR.
If you are the organization administrator and would like
to sign a DPA with us, please drop an email to email@example.com
to request a copy of the Data Processing Addendum
mentioning in which Data Center you've signed up for
your Zoho account.
- We conducted Data Protection Impact
Assessments (DPIA). Based on the results, we have put in
place appropriate controls on data processing and
- We conducted internal audits of our
products, processes, operations, and management. The
findings were communicated to our teams, who have worked out
the solutions to the identified problems.
- Based on the DPIAs and internal audits,
we have improved our data security methods and processes.
This includes encrypting data at rest, based on the level of
sensitivity and likelihood of risks. We have developed
in-house tools for better governance and discovery of data.
- We have cleaned up our databases to
ensure that we have only the latest and most accurate
information. This cleanup process includes removing
terminated and dormant accounts as per our Terms of Service.
- When needed, breach notifications will
be done according to our internal Privacy Incident Response
policy. Customers will be notified of a breach within 72
hours after Zoho becomes aware of it. For general incidents,
we will notify users through our blogs, forums, and social
media. For incidents specific to an individual user or an
organization, we will notify the concerned party through
email (using their primary email address).
requirements of the applicable privacy laws based on our
data inventory, data flows, and data handling practices.
Join the live forum-based Q & A
session and get answers to your questions on Zoho's updated
1. What is GDPR?
- The EU's General Data Protection Regulation
(GDPR) is a game changer in data protection and
privacy laws. The EU has realized that while
technology has evolved drastically in the last
few decades, privacy laws have not. In 2016, EU
regulatory bodies decided to update the current
Data Protection Directive to suit the changing
times. This law creates a comprehensive list of
regulations that govern the processing of EU
residents' personal data.
2. Who does it apply to?
- GDPR applies to any organization that works with
the personal data of EU residents. This law
introduces new obligations for data processors
while clearly stating the accountability of data
3. Where does the GDPR apply?
- This law doesn't have territorial boundaries. It
doesn't matter where your organization is from —
if you process the personal data of subjects of
the EU, you come under the jurisdiction of the
4. What are the penalties for non-compliance?
- A breach of the GDPR incurs a fine of up to 4%
of annual global turnover or €20 million
(whichever is greater).
5. Who are the key stakeholders?
- Data subject- A natural person
residing in the EU who is the subject of the
- Data controller- Determines the
purpose and means of processing the data
- Data processor- Processes data
on the instructions of the controller
- Supervisory authorities- Public
authorities who monitor the application of the
6. What is personal data or Personally Identifiable
- Any information relating to an identified or
identifiable natural person. The identifiers are
classified into two types: direct (e.g., name,
email, phone number, etc.) and indirect (e.g.,
date of birth, gender, etc.).
7. What are the key changes from the previous
- New & enhanced rights for data
subjects- This law gives an
individual the right to exercise complete
authority over their personal data. Some of the
rights highlighted in the regulation are:
- Explicit consent : Data
subjects must be informed about how their
personal data will be processed. Organizations
must make it as easy for data subjects to
withdraw their consent as it is to grant it.
- Right to access : At any point
in time, the data subject can ask the controller
what personal data is being stored or retained
- Right to be forgotten : The
data subject can request the controller to
remove their personal information from the
- Obligations of the processors - GDPR has
raised the bar for the responsibilities and
liabilities of data processors as well.
Processors must be able to demonstrate
compliance with the GDPR and they must
follow the data controller's instructions.
- Data Protection Officer -
Organizations may need to appoint a staff member
or external service provider who is responsible
for overseeing GDPR, general privacy management
compliance and data protection practices.
- Privacy Impact Assessments (PIA)
- Organizations must conduct privacy
impact assessments of their large-scale data
processing to minimize the risks and identify
measures to mitigate them.
- Breach notification -
Controllers must notify the stakeholders (the
supervisory authority, and where applicable, the
data subjects) within 72 hours of becoming aware
of a breach.
- Data portability : The
controller must be able to provide data subjects
with a copy of their personal data in machine
readable format. If possible, they must be able
to transfer the data to another controller.
8. What are the lawful bases the data controller can
use to process customer data?
- The data controller can choose from six data
processing bases. These are:
- Contract - This applies when
you need to process the customer's personal data
to fulfill your contractual obligations, or to
take some action based on the customer's request
(e.g. sending a quote or invoice).
- Legal Obligation - This applies
when you have to comply with an obligation under
any applicable law (e.g. providing information
in response to valid requests, such as an
investigation by an authority).
- Vital Interests - This
applies to urgent matters of life and death,
especially with regards to health data.
- Public Task - This
applies to activities of public
- Legitimate Interests -
Legitimate interests can include commercial
interests, such as direct marketing, individual
interests, or broader societal benefits. The
controller must document and keep a record of
decisions on legitimate interests in the form of
a Legitimate Interests Assessment.
- Consent - Consent is also
a lawful basis to process data. Consent of the
data subject means "any freely given, specific,
informed, and unambiguous indication of the data
subject's wishes by which he or she, by a
statement or by a clear affirmative action,
signifies agreement to the processing of
personal data relating to him or her."
9. What is LIA?
- LIA stands for Legitimate Interests Assessment.
It specifies the reason an organization wants to
process a customer's personal data. The
organization must also conduct an LIA to show
that the processing is necessary.
- The assessment of whether a legitimate interest
- The establishment of the necessity for
- The performance of the balancing test.
10. Does the GDPR require EU personal data to stay
in the EU?
- No, the GDPR does not require EU personal data
to stay in the EU, nor does it place any new
restrictions on transfers of personal data
outside the EU. Our data processing addendum,
which references the European Commission’s model
clauses, will continue to help our customers
facilitate transfers of EU personal data outside
of the EU.
11. Where can I find additional resources on
Disclaimer: The information
presented herein should not be taken as legal advice. We recommend
that you seek legal advise on what you need to do to comply with the
requirements of GDPR.