FotoWare Digital Asset Management: Committed to GDPR Compliance
The EU’s General Data Protection Regulation (GDPR) is taking effect in about a month.
With customers and partners worldwide, and with a large customer base in Europe, we have been hard at work to ensure not only that our own practices are GDPR compliant, but to help our users secure, manage, and protect their personal data even more easily using the FotoWare Digital Asset Management (DAM) Solution. Olav Andreas Frenning, Data Protection Officer at FotoWare, explains what FotoWare has been doing to prepare for GDPR in the last months.
First things first, is FotoWare ready for GDPR?
In short, yes. By May 25th all will be in place, including an area on our website that tells users 1) which data we store, 2) why we store it and 3) where we store it. Not least, users will be able to get in touch easily to request access to the information we hold about them or to request deletion, as stipulated in the GDPR.
We’ll also get in touch with our existing users and offer them to review and sign a Data Processor Agreement (DPA) with us for their own GDPR records. It can be hard getting one’s head around what agreements need to be in place, so here’s the short version:
Our customers are defined as Data Controllers under GDPR – they own the data – they just happen to store it on our service. FotoWare is a Data Processor, as we “do” things to that data in our system. What we can do with it is clearly outlined in the DPA. FotoWare in turn has agreements with sub-contractors who offer secondary services – things such as our support system, which runs on Zendesk, email automation system and others. Under GDPR the customer’s rights (your rights) are covered by the law’s onward transfer principles, which means you don’t have to make deals with each of our subcontractors – you have an agreement with us, and then you’re covered.
Olav Andreas Frenning, Data Protection Officer at FotoWare
What changes has FotoWare made to be GDPR compliant?
Quite a bit, to be honest. GDPR is a massive undertaking, and as a software vendor with both SaaS and On-Premise solutions on offer, it means we process data in several underlying systems. Our role is also substantially different in the two usage scenarios – in an On-Premise solution all the data is stored on the customer's servers and entirely controlled by them, whereas in SaaS the customer owns the data while FotoWare is a processor, as the software itself runs on the Azure cloud. This has an impact on the surrounding systems where data is processed, and thus the data processing scheme differs slightly.
We’ve also had to define clear routines that allow us to extract data when a customer requests insight in the data we keep and for the deletion of data, to conform to the GDPR’s requirements for Right of Access (GDPR Article 15), Right to Erasure (GDPR Article 17) and Right to data portability (GDPR Article 20).
On top of all this come data discipline guidelines for employees, and documentation of operational routines that govern which employees have access to what systems, where employees may store data, emergency routines and other areas that pertain to the security of the data we handle.
What kind of customer data does FotoWare need and what is the purpose?
We've defined three main areas where we collect data: For marketing, for On-Premise solutions and for SaaS solutions. We're strict about not collecting more data than we absolutely need or hanging on to it any longer than we have to.
Marketing collect the prospects’ information from our website - mostly names or email addresses. For FotoWare customers, we keep their contact information in our CRM so we can notify them of updates of the software, to send them license information when the agreement is renewed and suchlike. It's worth noting that in the SaaS offering, updates are deployed automatically, while On-Premise solutions need to be manually updated at the customer's convenience. So, when we release feature updates to our existing software suite, an email will go out to the people listed as contact persons on the contract. We've also made it easy to remove people from these lists in the customer portal, so that customers can themselves manage the level of information they receive.
Whether running on-premise or in the cloud, the obvious data we store and process are the actual assets that users upload to the system. There could potentially be millions of pictures, PDF’s, documents, audio and video files. And in the context of GDPR, this is where a DAM really shines: With a proper metadata tagging regime in place, (what the boffins call “metadata governance”) you can make sure everything that’s stored in the system is properly tagged – you can add information about who added a document, who’s played a part in editing it, who’s depicted in your company photos, and so on. A DAM is built to make it easy for users to navigate and search huge structures of data and retrieve it fast. And once you’ve found the asset(s), deletion is simply a matter of access rights. So when a person who’s left the company requires that personal data about her or him is deleted, it really is a no-brainer.
Our partners know just how vital metadata is in this regard, and they understand the importance of helping their customers get a metadata schema in place that’s tailored to manage their data, and in consequence, ready for GDPR.
Where does FotoWare store customer data and how secure is it?
FotoWare stores data in Microsoft Azure. This is a modern, high-security platform, and Microsoft is working actively to acquire certifications for the highest level of security. So customers can rest assured their data is well protected. As for our operational systems, they run on Azure PaaS Services. In fact, if you broke into our office, you wouldn’t find a single server here – so if disaster strikes and the office is flooded or burns to the ground - nothing is lost. With a computer and a working internet connection it’s business as usual. As long as we have a working network connection, we’re operational.
How does GDPR impact the FotoWare Solution user?
For users, the GDPR means there are stricter laws in place governing how a business can use their personal data. It also affords users important rights, two of which were mentioned before: 1) Right of Access and 2) Right to be Erased. This implies that a user can request that we dig out all the data we have on him/her. The right to be forgotten implies that the user can request that we delete all his/her user data in all our connected systems. The cool thing here is that managers of a FotoWare DAM system will be perfectly capable of doing this themselves, as this is among the core features of a DAM system. The GDPR states that FotoWare must also assist the customer, and we will naturally do that to the best of our ability, but with proper user training they should be perfectly capable of doing it themselves.
In the time ahead, you will likely see new content on the FotoWare documentation site that deals with how users of the FotoWare DAM can become GDPR experts themselves by learning basic techniques to get an overview of their content, categorizing it, tagging it, retrieving and, when required, deleting it.
Will there be any update or change in the functionality of the FotoWare Solution due to GDPR?
Yes, there will be minor changes in the way we obtain consent and in our opt-in and opt-out mechanisms. The best way to get an overview is to visit the GDPR section on our website, where we’ll post updates on all things regarding GDPR in the time to come.
If you have any questions regarding FotoWare’s processing of personal data, please contact us at firstname.lastname@example.org.