Akita will be meet or exceed the requirements specified in the EU’s General Data Protection Regulation (“GDPR”) by the May 25th deadline. This document outlines some of the steps we have taken to make certain that we comply with the new laws.

3rd-Party Sub Processors

We use services provided by 3rd-party vendors to help provide the Akita service and effectively run the Akita business. By the May 25th deadline, we will have entered into GDPR-compliant Data Processing Agreements with each of our vendors. You can find a list of these vendors here

Security Breach Response

In the event of a data breach, we will notify our customers in a timely manner as required by GDPR and outlined in our Data Processing Agreement.

Consent

We have updated our Privacy Policy and Cookie Policy to clearly identify what visitor and customer information we collect, how we collect it, and why we collect it. In addition we provide information about how you can disable these cookies.

Data Inventory

We have reviewed and identified where we are collecting and processing customer data on the Akita website and in the Akita service. For each instance we have identified our legal basis for collecting and processing this data. We have made certain that we have implemented network, software, and procedural safeguards to ensure the security of this data. Our Privacy Policy identifies what we are doing with the data we collect and how we manage consent.

Data Processing Agreement

We have incorporated a GDPR-compliant Data Processing Agreement into our overall Terms and Conditions. To continue using Akita, you must accept both the DPA and Terms and Conditions. Unfortunately we cannot sign Customer-provided DPAs as doing so would require prohibitively expensive outside legal assistance for each contract.

Data Protection Officer

Akita has appointed David Smith as its Data Protection Officer. He is registered with the Irish Data Protection Commission and is responsible for overseeing customer data security, privacy and GDPR compliance at Akita.

Data Protection Impact Assessments

For each new feature we implement we will determine if the new feature poses a risk to user privacy and the security of personal data. If the level of risk requires it, we will conduct a Data Protection Impact Assessment that describes the flow of sensitive data throught the application, identifies areas of risk, and outlines solutions to mitigate that risk. This DPIA will be signed off by Akita management and implemented as part of the project plan.

Easy to Understand Terms and Conditions and Privacy Policies

We will strive to provide Terms and Conditions and a Privacy Policy that transparently describes the personal data we collect and process and why, how we use it, who we share it with and how long we store it.

Right to Data Access, Portability and Deletion

Akita processes and stores all personal data in GDPR compliant manner using only GDPR-compliant Sub Processors. We store your data for 2 years unless your account is cancelled. In the event your account is cancelled we will delete your data in accordance with our Terms and Conditions.

GDPR requires you provide your users with the ability to access, update, retrieve and remove personal data. Upon request Akita will work with your team to delete or export any data you require. If you have integrated with a 3rd-party application, Akita may re-import that data. You may need to delete or update data in the connected application prior to deleting it from Akita.

Training

Akita has had regular, internal discussions concerning data privacy and GDPR compliance. Our product, sales, and marketing teams have researched and will continue to study ways to make sure Customer data is only used in compliance with GDPR.

Implementation Checklist

RulesSpecific ArticlesStatusComments
Data Protection Officer (DPO)Articles 37-39CompleteRegistered with Office of the Data Protection Commissioner.
Nominated David Smith as Data Protection Officer.
Paid Applicable Fees.
Training across all personnel (development and roll out)Articles 7-8 & 12-15CompleteCompleted training for all impacted personnel.
Data breach proceduresArticles 33 & 34CompleteData breach response incorporated into DPA.
Data processing recordsArticle 30CompleteRecord of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically.
Audit and Analysis of privacy frameworkArticles 28-30CompleteAudit all existing client & third-party contracts to ensure compliance with GDPR.
Make necessary amendments.
Review & update insurance coverages.
Implement processes.
Review & control.
Ensure appropriate technical & organizational measuresArticles 44-50CompleteGuarantees by processor to implement appropriate technical & organizational measures to ensure the protection of the rights of the data subjects.
Update data protection agreements and appendices.
Data transfers and export controlsArticles 7-8 & 12-15CompleteIdentify cross-border data flows and review mechanisms in place.
Ensure adequate level of protection with contractual clauses.
Reevaluate notice, consent and withdrawal mechanismsArticle 20CompleteEvaluation of existing consent & procedures in place, and ease of withdrawal.
Update internal processes & Privacy Policy to increase transparency.
Data portabilityArticle 25OngoingProvide exports of user data upon request within time specified.
Data protection by design and by defaultArticle 32OngoingTechnical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed.
Implement data protection principles, such as data minimisation.
Security of processingArticle 35OngoingTechnical & organizational measures to ensure a level of security appropriate to the risks at stake.
Carry out data protection impact assessmentArticle 35OngoingCreated template for future DPIAs.

Last Updated: 13th May 2018