Zoho has always honored its users’ rights to data privacy and protection. Over the years, we’ve demonstrated our commitment to this by consistently exceeding industry standards. We have no need to collect and process users’ personal information beyond what is required for the functioning of our products, and this will never change. We have a privacy-conscious culture here and GDPR is an opportunity for us to strengthen this even further. GDPR compliance has been our absolute priority for the past year. Our various product teams are currently working overtime to get Zoho GDPR-ready.
What is GDPR?
GDPR is an EU-wide privacy and data protection law that gives individuals more control over their personal data. It applies when anyone processes the personal data of EU residents, regardless of the location of the person/entity performing the processing.
The GDPR is relevant to any globally operating company and not just EU-based businesses and EU residents. Our customers’ data is equally important no matter where they are located, so we plan to implement GDPR controls as our baseline standard for all our operations, worldwide.
GDPR will become enforceable on 25th May 2018.
What is personal data?
Anything that can help identify an individual is personal data.
GDPR includes a broad spectrum of information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data extends beyond a person’s name or email address. Some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation, and ethnicity.
We have a dedicated web page on GDPR. Please visit https://www.zoho.com/gdpr.html to learn more.
How is Zoho preparing for GDPR?
In preparation for GDPR, Zoho has done a number of things to adhere to the new regulation.
- We have raised awareness across the organization through frequent discussions in our internal channels and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.
- We have put together a personal data inventory that includes all the roles Zoho assumes, such as a data controller and processor. This includes various categories of personal data processed by our organization and helped us to determine which department is getting access to which data and for what purpose.
- We are assessing our sub-processors (third party service providers, partners) and streamlining the contract process with them to ensure they address the pressing needs of the current security and privacy world.
- We have appointed internal privacy champions for all our teams. We are in the process of appointing a Data Protection Officer (DPO). This is expected to be finalized very soon.
- We are constantly in the process of earning additional security certifications and data privacy seals. We are also documenting our processes and procedures, down to the tiniest details of what we do. And yes, we’re now buried under a mountain of paper.
- We have assessed all Zoho products, individually, against the requirements of the GDPR and are implementing features that will ease your burden of achieving GDPR compliance.
- Our application teams have embraced the concept of privacy by design and are working to provide you more control over the data you store in our systems. These provisions may vary based on the product’s characteristics and domain. Our teams are working on these features and enhancements, which will be rolled out in phases.
- We have amended our Data Processing Addendum (based on Model Contractual Clauses) to be compliant with the data processing requirements of GDPR. Upon request, we will share the revised Data Processing Addendum to enable you to be compliant with your GDPR obligations. Please send an email to email@example.com to request a copy of the Data Processing Addendum.
- We conducted Data Protection Impact Assessments (DPIA). Based on the results, we are putting in place appropriate controls on data processing and management.
- We conducted internal audits of our products, processes, operations, and management. The findings were communicated to our teams, who are working to solve any remaining problems.
- Based on the DPIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks. We are also developing our own tools for better data governance and data discovery.
- We are cleaning up our databases to ensure that we have only the latest and most accurate information. This cleanup process includes removing terminated and dormant accounts as per our Terms of Service.
- When needed, breach notifications will be done in accordance with our internal Privacy Incident Response policy. Customers will be notified of a breach within 72 hours after Zoho becomes aware of it. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address).
- We are revising our privacy notice to incorporate the requirements of the applicable privacy laws based on our data inventory, data flows, and data handling practices.
All this is just the first wave of our GDPR-related changes. We have a whole series of blogs planned, with more updates and information to come. Please feel free to ask questions and share concerns with us at firstname.lastname@example.org.
Choose Privacy. Choose Zoho.
The information discussed in this blog should not be construed as legal advice or be a replacement for legal advice. Zoho Corporation does not take responsibility for misinterpretation or misunderstanding of content by the reader. Zoho Corporation makes no guarantees, express, implied, or statutory, as to the information in this blog. Please seek the guidance of a legal consultant/advisor to ensure your compliance with this project.