GDPR (General Data Protection Regulation) will be applicable to all organizations controlling and processing the data of EU citizens(from within or outside Europe) from May 25, 2018. This is bound to bring some significant changes in the way data is currently being held/processed by organizations.

The current digital age can be defined by the broader use of technology. It has also changed the definition of user personal data. GDPR aims to achieve the standardization in data protection laws for EU data subjects. It will provide users more access to the processing of their data.

99minds is committed to making sure that the controlling/processing of the personal data of users, is as per the guidelines defined by GDPR and the UK’s Data Protection Bill/insert relevant country DP law. Our preparation for GDPR compliance has been summarized in this statement. It includes the implementation measures, changes in current procedures, and policies that we're taking/have taken to become GDPR compliant.

How We Are Prepared for the GDPR

99minds already has a very robust data security and backup system in place, however, to become GDPR compliant, we introduced a few more features in our system to ensure transparent user data processing.

Our preparation includes:

  • Data Retention Period:

    We have updated our data retention policy to make sure that we meet the ‘data minimization’ and ‘storage limitation’ principles and that user personal data is processed at our end in accordance with GDPR guidelines. Only Loyalty, Coupons, and Gift card-related data entered by users, are stored for user convenience and product analytics purposes. These records are stored only for subscription terms at maximum, after which, these are deleted permanently from our databases. You can request your loyalty point & gift card data anytime during this period and 99minds will provide you with this data within a reasonable time and in a popular data format.

  • User Data Portability:

    We provide loyalty and gift cards in a popular data format. User will be able to port their account information.

  • User Data Deletion:

    We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation in GDPR. User can request Data Deletion for all their Loyalty User Profile modules. We are also working on feature that will allow users to delete their test and account information. Post this deletion, requested information will be permanently deleted from all of our databases.

  • Policies & Procedures:

    We revised our data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:

    Data Protection:

    We revised our Privacy Policy as well as Terms of Service documents to meet the standards and requirements of the GDPR.

    Data Breaches:

    Our Business Continuity Plan and Disaster Management documents are being updated to meet the GDPR clause that mentions that in case of any data breach corresponding regulatory Authority must be notified as soon as possible within 72 hours. We have procedures in place to identify and assess risks in such cases. A reporting mechanism has also been introduced within the organization to tackle such events with utmost priority.

  • Legal Basis for Processing:

    We reviewed all processing activities to identify the legal basis for processing and ensure that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.

  • Direct Marketing:

    We have revised the processes involved in direct notification and product update e-mails, including clear opt-in procedures for all notification subscriptions; and a clear notice and method for opting out. We are also providing unsubscribe features on all subsequent marketing materials.

  • Privacy Notice/Policy:

    We have revised our Privacy Policy document to comply with the GDPR, making sure that all individual data subjects whose personal information we process have been informed of why we need it, how it is used, what are their data rights and what safety measures are in place to safeguard their information.

  • Obtaining Consent:

    We have revised our consent-obtaining procedures for personal data, ensuring that individuals understand what data they are providing, why and how we process it, and giving clear, defined ways to consent to us processing their information. We have developed strict processes for recording consent, ensuring that we can evidence an affirmative opt-in, along with time and date records; and an easy access way to withdraw consent at any time.

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy-to-access information via our website, of an individual’s right to access any personal information that 99minds processes about them and to request information about:

  • What personal data we hold about them.
  • The purposes of the processing.
  • The categories of personal data concerned.
  • The recipients to whom the personal data has/will be disclosed.
  • How long we intend to store your personal data for.
  • If we did not collect the data directly from them, information about the source.
  • The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this.
  • The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.
  • The right to lodge a complaint or seek judicial remedy and who to contact in such instances.

Information Security & Technical and Organizational Measures

99minds takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure, or destruction and have several layers of security measures, including:

  • SSL(Secure Sockets Layer):

    In our application, we have implemented HTTPS by default, and use VNC protocols for secure data transfer. This data is also encrypted to ensure that data is not compromised in transit.

  • Access Controls:

    We have implemented strict 24x7 security protections at our on-premise development centers. Only authorized individuals have access to the building and 99minds office premises. Our application data is hosted on industry leading hosts like Amazon Web Services, who have been thoroughly tested by multiple third party auditors for security. All our employees sign confidentiality agreements that extend to user agreements between 99minds and Clients. Also, we have strict user role-based access to all our customer data therefore, only the most important employees have access to only relevant data.

  • Password Policy:

    All user access is password protected. In addition, user sign-ups are verified through a two-step verification workflow.

  • Encryption:

    All data saved in our application like login credentials, secure access keys, usage logs, test history, and billing details, are stored in an encrypted format.

  • Data Backup:

    We use AWS services like AWS S3 to store and take backups of our data. All data stored on AWS instances are stored using advanced AES256 encryption standards. Any data that is not critically required gets deleted through standard DELETE requests on S3 buckets. However, we have implemented versioning and rollback steps to prevent accidental deletion of data. Therefore, even delete requests do not immediately delete all data. For that we have implemented provisions to scrub all data including the historical backup data on client requests via support or via the delete feature.

GDPR and Employee Training

99minds understands that continuous employee awareness and understanding is the backbone to continued compliance with the GDPR and has involved our employees in our preparation plans. We have hired a third-party compliance agency and implemented an employee training program specific to the which will be provided to all employees and forms part of our induction and annual training program.

If you have any questions about our preparation for the GDPR, please connect with us at support@99minds.com.