What Is GDPR?
GDPR, or the General Data Protection Regulation, is a comprehensive data protection law enacted by the European Union (EU) in May 2018. Its primary aim is to empower individuals and enhance their control over their personal data in an increasingly digital world. GDPR applies to organizations, both within and outside the EU, that process the personal data of EU citizens.
Key principles of GDPR include:
Consent: Organizations must obtain explicit and informed consent before collecting and processing an individual's personal data.
Data Rights: GDPR grants individuals various rights, such as the right to access, correct, and delete their data, as well as the right to data portability.
Data Protection Officers (DPOs): Certain organizations are required to appoint DPOs to oversee data protection efforts.
Data Security: Organizations must implement robust security measures to protect personal data from breaches.
Data Breach Reporting: GDPR mandates the timely reporting of data breaches to both authorities and affected individuals.
Privacy by Design: It encourages organizations to consider data protection at every stage of product and service development.
Territorial Scope: GDPR applies extraterritorially, impacting organizations worldwide that handle EU citizens' data.
What Changed?
GDPR was a significant change for global privacy standards. It requires organizations across the world to be accountable and responsible for protecting the data of European citizens, regardless of country or location. If you collect, use/utilize, transfer, handle, store, or do almost anything with European citizen data within your business, you are most likely subject to GDPR compliance requirements.
Although the regulation and its compliance requirements are robust, it is a great opportunity for you to assess your firm's current data processing activities and ensure you are protecting your client's data appropriately.
At a high level, GDPR requires the following of your accounting firm:
Data Audit: Identify and document all personal data processed.
Privacy Policies: Develop clear privacy policies for data handling.
Consent: Obtain explicit consent for data processing. This must be clear and conspicuous, and can be in one of several acceptable methods such as a form, written communication, or a contract.
Security Measures: Implement appropriate data security practices and technologies within your business.
Breach Response Plan: Prepare for timely investigation and reporting of identified data breaches within your business.
Employee Training: Educate staff on GDPR principles. This can be done by providing security training on GDPR and data privacy practices.
Vendor Due Diligence: Ensure third parties implement appropriate security and comply with GDPR, where applicable.
Data Subject Rights: Establish procedures for responding to data subject requests.
International Data Transfers: Comply with cross-border data transfer rules.
Documentation: Maintain records of compliance efforts.
Legal Counsel: Seek legal expertise for ongoing compliance.
For more information on the above and how to maintain compliance with GDPR, reference the EU GDPR website and the UK Information Commissioners Office website.
Is Karbon GDPR Compliant?
We take our responsibilities under GDPR seriously and have ensured that we are GPDR-compliant.
Here is an outline of relevant GPDR articles, with a summary of the measures we have implemented to ensure Karbon is compliant.
Lawful Basis
GDPR requires that all organizations processing EU or UK citizen data establish a lawful basis for conducting data processing activities. Our data processing activities are governed by our Terms of Use, which are read and accepted by Karbon web application users during the new user registration or onboarding process. These terms serve as a legal contract that governs the data processing activities that we are authorized to perform in connection with the use of our web application product.
Karbon is a Data Processor
Our internal evaluation of our processing activities has determined that our organization is a Data Processor to our subscribed customers. As a result, we have implemented practices to ensure our adherence to GDPR for data processors.
Data Subject Rights
Under the General Data Protection Regulation (GDPR), data subjects (individuals whose personal data is being processed) have several rights that empower them to have more control over their personal data. Each of these rights can be requested and exercised by authorized and appropriate Data Controllers by contacting the Karbon Customer Support team (support@karbonhq.com).
Right to Access (Article 15): Data subjects have the right to obtain confirmation from the data controller (the entity collecting and processing data) as to whether or not their personal data is being processed. They can request access to their personal data and receive information about how and why it's being processed.
Right to Rectification (Article 16): Data subjects can request the correction of inaccurate or incomplete personal data held by data controllers.
Right to Erasure (Right to be Forgotten) (Article 17): Data subjects have the right to request the deletion of their personal data in certain situations, such as when the data is no longer necessary for the purposes for which it was collected or when the data subject withdraws their consent.
Right to Restrict Processing (Article 18): Data subjects can request that the processing of their personal data be temporarily halted. This can be useful when there is a dispute about the accuracy or lawfulness of the data processing.
Right to Data Portability (Article 20): Data subjects can request their personal data in a structured, commonly used, and machine-readable format. They can also request the transfer of this data to another data controller when technically feasible.
Right to Object (Article 21): Data subjects have the right to object to the processing of their personal data, particularly in cases where the data is processed for direct marketing or legitimate interests.
Automated Decision-Making and Profiling (Article 22): Data subjects have the right not to be subject to automated decisions, including profiling, that produce legal or significant effects without human intervention. This right is subject to certain exceptions.
Right to Withdraw Consent (Article 7): Data subjects can withdraw their consent to data processing at any time. Data controllers must make it as easy to withdraw consent as it is to give it.
Important Note
Karbon customers also retain the ability to perform activities within their Karbon account to perform some of the above requests, including:
Karbon customers can export their clients, contacts and work items from the Karbon web application. All emails are already stored with their selected email service provider inbox.
If there is a need to erase data for specific contact or client, Karbon customers are able to perform these actions themselves within the application (system administrators can perform these actions).
For the erasure of multiple contacts or any other bulk data deletion, the Karbon customer support team is able to perform these deletions on request.
Appropriate Safeguards
We have implemented a robust security program, including information security and privacy policies and procedures, to ensure the protection of EU and UK customer data during our data processing activities. These include the implementation of authentication, encryption, network security and access control procedures and technologies that facilitate our goals for maintaining confidentiality, integrity, and availability of our systems and data. Further, we ensure that these safeguards are also practiced by our third-party vendors to ensure that data maintains a similar level of protection when processed by our vendors.
Data Breach Notifications
We have implemented a robust security program within our company to prevent the occurrence of a data breach. However, despite best our best efforts, a data breach may still occur. In the unfortunate event of a data breach, Karbon will notify all EU or UK customers of a data breach without undue delay after becoming aware of a personal data breach. Our objective for undue delay is within 72 hours of identification and reasonable confirmation of data breach and impact details.
We have also established a process for notifying supervisory authorities and data subjects of data breaches to ensure external stakeholders are notified appropriately.
Data Protection Officer
Although the appointment of a Data Protection Officer is not a requirement for all organizations, we have assigned this responsibility to our Chief Technology Officer and Founder, John Freeman. John maintains responsibility for oversight and governance of technology and security practices within our company and has engaged external specialist to consult and partner with sharing the DPO function for our organization. This collaborative effort assist with monitoring our security program and compliance with GDPR requirements.
Internal Audits
Karbon's internal risk and compliance team conducts regular internal audits to evaluate the design and operating effectiveness of our security program and reports any findings to our DPO and Executive Leadership team. These audits assist with evaluating the effectiveness of our security practices and identifying any areas for improvement to ensure we are protecting our environment and meeting GDPR compliance requirements.
International Data Transfers
The Karbon web application is used by customers globally. For each of the geographic regions where we process data, we use secure data centers to maintain the data within the local region:
Data is stored within EU and UK data centers for European or United Kingdom customers who request this on the setup of their account. This ensures that data is processed and stored within a data center location within the country, respectively. Although this is not required for GDPR compliance, storing data within the local data center is best practice and simplifies our adherence to GDPR.
In addition to our EU and UK data centers, we utilize other regional data center locations to support data processing and storage activities for our customers using the Karbon web application.
Each of these data center locations implements appropriate safeguards (security) to protect data during processing and storage.
In any circumstances where we process EU or UK customer data in territories outside of the EU or UK (e.g. United States), we also ensure that "appropriate safeguards" are implemented within these environments to ensure the same level of protection is implemented.
Appointed Representative in EU Member State
GDPR requires that organizations outside of the EU appoint a representative within a EU/UK member state. The following includes the information for our designated and appointed member:
Osano International Compliance Services Limited
ATTN: 74QZ
25/28 North Wall Quay
Dublin 1, D01 H104
IRELAND
Compliance with GDPR requires an ongoing evaluation of security and privacy practices within our company. We are committed to ensure that we meet these standards and maintain the protection of our customer's data. Please reference our Privacy Policy for a full description of our data privacy practices.