What is GDPR?

Simply put, GDPR ensures that EU residents have a greater say over what, how, why, where, and when their personal information is used, processed, or disposed. This rule, effective from the 25th of May, 2018, clarifies how EU personal information laws apply even beyond the borders of the EU.

Why should you be GDPR compliant?

According to GDPR, any organization that works with EU residents' personal information in any manner has obligations to protect the data. This includes basic customer information that your business needs such as name, email, and phone number.

Why is it crucial that you have a GDPR compliant help desk?

Customer service requires that your customers submit personal information. This information is persisted and used in a number of ways to process various functions on Zoho Desk. For example, Desk maintains a customer's email address, phone number, and Twitter handle in order to list all the tickets they have submitted. GDPR mandates that companies maintain a log of all of this customer information and all the ways in which it is being used.

How has Zoho Desk upped its game to support you?

To start with, Zoho has always respected user privacy—we have never used your data to serve ads, and never will. So you've been covered since before the advent of GDPR. That said, we've introduced a number of new checkpoints, so your customers have more control over how their data gets used.

Security Certification

Zoho Desk has among the highest levels of security, meeting industry standards of ISO 27001 and SOC 2 Type II. We believe that GDPR will further elevate our standards of protecting user data.

Data Hosting and Migration

Our secure data centers are located in the EU, US and China. Regardless of where your account was created, your data can be migrated to data centers in the EU upon request. To minimize the impact on your business, this process will be carried out with no anticipated downtime.

Data Encryption

Once inside Zoho Desk, sensitive data is protected from unauthorized access, disclosure or modification. We employ a number of encryption protocols and security methods to ensure this. As an administrator, you can also choose to encrypt custom fields where relevant.

Disclosure of Data

Roles and profiles on Zoho Desk let you define permissions, so you can tightly control who in your organization has access to what information. Data-sharing rules and field-level permissions help you take this a step further.

Access to Data

Your agents and customers each have their own levels of access to personal customer information (such as name, email address, and tickets) and can perform a number of actions on the data.

  1. Rectification: Your customers can edit all of their personal information except their email address, since that is the unique identifier for every contact.
  2. Portability: Administrators can export service data for every module of Zoho Desk.
  3. Deletion: Your customers have the right to request that their personal information be deleted. However, your agents and administrators can also delete service data from within the interface in cases where they deem it appropriate.

Retention Policy


We retain the data in your account for as long as you choose to use Zoho Desk. Once you terminate your Zoho desk account, your data will eventually get deleted from active database during the next clean-up that occurs once in 6 months. The data deleted from active database will be deleted from backups after 3 months.
 

Data Audits

Audit logs—that is, information about every addition, update and deletion made to your database records—are maintained in the backend. Upon request, the data will be shared with the user.

We're constantly upgrading our security measures to help you on your compliance journey. Organizations that are found to be non-compliant, or have breached the regulation, may face a fine of up to €20 million or 4% of the organization's annual turnover, whichever is higher.

For more on Zoho's GDPR readiness, click here.

Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.