General Data Protection Regulation (GDPR)

WHAT IS IT?

The GDPR is an EU Regulation to improve the protection of the personal data of EU citizens and increase the obligations of organisations who collect or process personal data. These new regulations take effect on the 25th of May 2018. The regulations greatly enhance the data privacy and security of our customers and extend to them exercisable rights enabling greater control over one's personally identifiable information.

The full specification of the GDPR rights and regulations can be found (here)

HOW DOES IT IMPACT TECH.LONDON?

Tech.London functions as both a controller and processor of our customers' personally identifiable information (PII). Additionally, we employ a number of sub-processors to which we transmit data for storage or processing beyond feature sets under our immediate control.

As a controller of data, we store PII such as customer names, email addresses, physical addresses, IP addresses, phone numbers and avatars. We use a number of databases through GDPR compliant service providers (AWS, Heroku, mLab) to store sensitive customer data.

Tech.London is also a processor of customer data. We use customer data to compile legal documents, surface content, and facilitate investment-related matchmaking services. A number of sub-processors are leveraged by Tech.London systems for purposes of financial transaction execution, internal analytics, and system monitoring.

Tech.London is owned and operated by Gust, Inc. We have a system-wide GDPR compliance effort underway which will manifest itself on the core Gust platform as well as any of our hubs (including Tech.London), satellite applications, or other owned properties.

OUR GDPR COMPLIANCE

Since we are both a data controller and data processor we have several categories of measures to take in order to comply. The general categories are:

  • Auditing data collection and processing processes and protocols
  • Communicating our GDPR responsibility and accountability
  • Collecting explicit affirmative consent to control and process data from our customers
  • Implementing and communicating steps to exercise customer data access rights

The rest of this document outlines how we are and will remain compliant with GDPR in each category:

Auditing data collection and processing processes and protocols

  • We've already compiled the internal PII data collection, data flow, data maps, and retention requirements. These will be updated as we grow any of our platforms or introduce new data collection methods.
  • Our privacy policy already includes how and why we handle personal data and we've added a section—this page—to detail how that relates with GDPR and how we support the additional customer rights under GDPR.

Communicating our GDPR responsibility and accountability

  • Our internal management structure is already GDPR aware
  • We have appointed a Data Protection Officer who is leading our GDPR compliance, security, and infrastructure initiatives.
  • We've always had a technical security and infrastructure team but they are now specifically trained on data privacy as it relates to GDPR.
  • We have a detailed map of all our data collection and sub-processors, those lists and maps are available on-request from our editorial team as detailed at the end of this document.
  • We have a list of all contracts with data processors we share data with
  • We have policies, internal talks, and training set up for GDPR and general data security awareness as well as procedures for handling any breach incidents.

Collecting explicit affirmative consent to control and process customer data

  • We have explicit opt-in consent for both the newsletter and content submissions.
  • Customers can easily revoke consent from the newsletter in any email sent to them, then can also contact Tech.London's editorial team to change their email preferences at any time ([email protected])
  • Any user submitted content (events, workspaces, etc.) can be accessed, updated, or deleted by contacting the editorial team.
  • We will inform all customers of any future Privacy Policy updates.

Implementing and communicating steps to exercise customer data access rights

The GDPR guidelines require processors and controllers to give easily executable rights to customers for access, updating, removal, cessation of processing, and delivery of their data.

Tech.London's editorial and engineering teams will coordinate and execute customer data access right requests using the following protocol:

Engagement

As Tech.London only stores names and email addresses in one location, executing our customer's rights on their data is fairly straightforward. For any given GDPR right:

  • A customer finds contact instructions in our privacy policy and on tech.london
  • A customer contacts the editorial team at [email protected] requesting to exercise one or more of their GDPR rights
  • The editorial team authenticates the user's identity and acknowledges the request within 48 hours
  • The editorial team notifies the engineering team and the Data Protection Officer

Escalation

  • The Data Protection Officer coordinates, defines, and prioritizes steps to resolve the data access request
  • The Data Protection Officer tracks resolution lifecycle

Resolution

  • Tech.London's editorial team contacts the requesting customer delivering applicable data packages, captures any further issues, and closes the support ticket

We're happy to see personal data privacy, ownership, and control come to the internet at-large. As a company, we are in full support of the regulation, these are very positive changes for the Internet and communities we want to serve.

Effective date: May 20th 2018