Benivo and GDPR
Disclaimer:
This page is intended to provide updates about Benivo’s compliance to EU data privacy laws such as the GDPR, you should not treat this as legal advice for your company. The page contains background information to GDPR to illustrate how Benivo is addressing some key legal points, however, it is not the same as legal advice nor should it be treated as such. Please consult a lawyer or a legal professional if you’d like advice on compliance to GDPR.
Introduction
One of the hottest topics amongst all businesses, big or small, has been the European Union’s (EU) new regulation, the General Data Protection Regulation (GDPR). It is a new set of laws aiming to enhance the protection of personal data of EU citizens and increase the organisations’ obligations to manage those data responsibly and transparently.
At Benivo, we respect the privacy of our clients as well as our customers, and we treat any personal data submitted to us seriously, therefore, we have been spending a lot of effort to make sure that our practices are GDPR-compliant.
Some of our organisational and technical measures are already compliant to GDPR, while others have been put in motions to ensure full compliance by 25 May 2018 when the laws come into effect.
What does GDPR mean to Benivo?
To provide a welcome experience to our clients, Benivo, collects, processes, manages, and stores personal information of a client’s employees in order to provide a customised experience for everyone: this may include their names, contact details, address etc.
GDPR sets out a list of responsibilities for companies such as Benivo to comply with, it requires all the personal data associated with Benivo to be:
- Processed lawfully, fairly, and transparently;
- Collected for a specific, explicit, and legitimate purpose;
- Adequate, relevant and limited to what is needed;
- Accurate and up-to-date;
Stored for an appropriate amount of time and; - Managed responsibly against unauthorised or unlawful activities.
To put this into context, let’s say Irene is a Benivo-Client employee and a EU citizen using Benivo to relocate, she’s called the “data subject” and Benivo is the “controller” of any data we have about Irene. GDPR grants Irene an enhanced set of rights while giving Benivo an enhanced set of regulations.
| What it means | What Benivo is adding | |
| Lawful processing | Benivo needs to have a legal reason to use Irene’s personal information. The reason here will be by consent (Irene opts in for the Benivo service) with notice (she explicitly agrees to how Benivo processes her data) |
We have tailored our Benivo user Privacy Policy to the GDPR framework and it is displayed to our users when they register. As a signal of consent, Irene needs to check the relevant box to create a Benivo account. Benivo will timestamp the registration to maintain a date record of each user’s consent. Implementation Status - Completed |
| Withdrawal of consent |
Irene needs to be able to see what she signed up for, and withdraw her consent (or object to how Benivo processes her data) any time. |
To withdraw their consent to Benivo, users such as Irene can easily do so by contacting our Benivo Customer Service Team. Completed |
| Deletion |
Irene has the right to request us to erase all personal data Benivo has collected about her, including her behaviour on the website, call records, survey answers etc. Benivo will need to respond within 30 days in most cases. The right for erasure isn’t absolute, and can depend on the context. |
Benivo can delete and/or anonymise customer data on its systems and all third party service platforms that assist in the processing of Irene’s personal data. We are also able to permanently delete a user’s personal data from Benivo’s SQL database upon request. Completed |
| Access/Portability |
Like her rights to withdraw consent and request to delete, Irene also can request to access the personal data Benivo has about her. If she requests access, Benivo needs to provide a copy of the data in a readable format (CSV or PDF). |
Benivo database has the capability to easily export a user’s profile in CSV format. Benivo’s third party service platforms also have the ability to export a user’s profile in a machine-readable format. Completed |
| Modification |
Just like her rights listed above, Irene can request Benivo to modify the data we have about her if it is inaccurate or incomplete. Benivo needs to be able to comply with the user if/when such request arises |
All Irene needs to do is get in touch with her point of contact at Benivo and we can amend her information on our admin web portal. Completed |
| Security Measures | GDPR requires data controllers to implement a range of data protection safeguard, from encryption during transit and at rest, to access controls. |
Benivo is implementing safety measures from both administrative and technological fronts: Benivo’s technology leadership has been reviewing and configuring the database setup to improve the IT infrastructure security; we also employed an independent firm to conduct a comprehensive security audit and risk assessment in Q1 2018 to ensure it is up to industry standard. In addition, we have reviewed internal account access privilege to make sure that Benivo employees can only access user data relevant to their position. We also regularly conduct company-wide Information Security training so everyone at Benivo maintain a best practice approach to data security. Completed |
What does Benivo think of GDPR?
Benivo’s mission statement is to make every employee welcome, to accomplish this, we first need to make all our stakeholders feel safe- we certainly don’t take your trust for granted when you submit personal data to help us do our job better and we must demonstrate that Benivo is committed to the responsibility of safeguarding any data collected.
While some might think the GDPR adds to the regulatory burdens for companies, Benivo considers this a great opportunity to show that every enterprise, regardless of size, origin, or past experience, can achieve just as much as bigger corporations by devoting the time to understand the details and investing in the right place. This is aligned to our company mission - to make every employee welcome regardless of their role, experience, or financial background. We dedicated a lot of time and resources in engaging with industry experts, partners, and consultants to put in place a sustainable best-in-class data protection framework that not only will comply with GDPR, but any future challenge to come.
As a growing company, Benivo invested in both manpower and infrastructure over the past 18 months to put in place a sustainable information security policy approach that empower our users.
We designated our Data Protection Officer to establish a set of internal policies for our employees to follow; we’ve had multiple company-wide training sessions to iterate Benivo’s obligations as a data controller and how to manage our client’s data responsibly. In addition, we updated our Terms & Conditions and Privacy Policy which list out what we collect and why, as well as the rights of our users in relation to data protection and privacy.
Benivo also employed a CREST-certified security firm to perform vulnerability test and penetration tests on our IT system, and are on track to implement recommendations from the assessment by May 2018. Furthermore, we reviewed the security measures of our third party service providers that process data on our behalf, ensuring that they are GDPR compliant.
The whole process has been demanding- and this is only the beginning- but it is a challenge that we relish. Benivo strives to provide a better, more secure experience for our customers and it has remained our focus as well as our motivation throughout our journey thus far, we are continuing our efforts to GDPR readiness by May 2018.regulations.
FAQ's
-
What kind of personal data does Benivo collect?
Depending on the client requirement, Benivo collect various data from our users. They may include names, address, and contact details (email and phone number). On some occasions, users may need to submit card details and bank account information, but Benivo uses a FCA-regulated payment service provider to collect and process this information, of which Benivo has no access to them. The users will be informed ahead of their registration with Benivo.
-
What does Benivo do with the data?
We use the data provided by our users to offer a customised relocation service, we also use this to improve our service, provide customer support and on occasion, for testimonial purposes. We do not sell or provide any of the data collected to marketing agencies, or to other parties for unconnected usage. Our user Privacy Policy list out what information we collect and how we use it.
-
Does the GDPR require personal data stored in the EU?
No. There’s no obligation under the GDPR for the data to be stored in the EU. However, Benivo uses a data centre located in Ireland for its database and the process does not involve transmitting data outside of Europe.
-
What if my employees are not a EU data subject?
As long as your employees reside in the European Union, they are considered a EU data subject and are under the protection of GDPR. Benivo applies the same level of security standard to all the users on our platform so even if they are neither a EU citizen or relocating to the EU, they may practise the same rights as their European counterparts.
-
Does Benivo have a point of contact if I have any additional queries about Benivo’s GDPR readiness?
Yes, you may contact our data protection officer at security@benivo.com
