Last Update: May 6, 2018

SysAid Takes Privacy Seriously

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in two decades. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.

We didn’t just start to take privacy seriously now. As one of the largest ITSM providers, with thousands of both cloud and on-premise implementations, our customers’ privacy has always been one of our top priorities.

Specifically with our Cloud offering, SysAid guarantees continued compliance with applicable GDPR regulations as a data processor. We are fully committed to enable, and assist in any way, our customers, the data controllers, with complete control of their private data, in order for them to meet their GDPR obligations. For our On-Premise solution, we’ll continue to ensure that our product empowers our customers to fulfil their responsibility as both controllers and processors.

Ongoing Status

We have addressed GDPR data protection requirements that are applicable to data processors and will continue to be vigilant, to ensure we handle any developing requirements.

Data processing

Our ability to fulfill our commitments as a data processor to our customers, the data controllers, is a part of our compliance with GDPR where data controllers are using SysAid to process personal data. Because of this requirement, SysAid will continue to ensure we’re doing the maximum to protect data and improve our processes and procedures where we identify the opportunity.

Controls

We regularly review our Information Security Policy and related work plans to ensure that they take into account all requirements, confirming we’re fulfilling our obligations to GDPR as a data processor.

Our customers depend on us to manage and protect their environments. Only a limited number of roles within SysAid are authorized to access customer environments and then only when necessary, according to strict guidelines and documented actions. We comply with information security best practices including multiple-factor authentication and encryption.

Data Protection

SysAid commits to conforming to information security best practices. In line with GDPR, appropriate measures are assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, state of the art technologies, and the nature of the processing. These measures include data anonymization in problem investigation/resolution and encryption. Regular testing of the effectiveness of all security measures is a continuous process.

Data Transition

Our customers can choose for their environments to be processed within an EU Data Center. SysAid guarantees that the processing of our cloud customers’ data will remain in the region that the customer requests.

Third-Party Processors

SysAid’s cloud offering runs on Amazon Web Services. The European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws. No other third parties are engaged in SysAid’s service.

Customer Guidance for Data Subject Request (SAR) Responsiveness

We have prepared guidance for our customers on how to respond to and act on their customer queries and requests regarding GDPR Data Subject Rights. We will augment this section if any additional information becomes available. It is important however that SysAid Customers, both Cloud and on On- Premise, prepare their procedures and processes to conform with SARs as they, as Data Controllers, are solely responsible for the handling of and response to SARs.

Requests and Responses

Right: To information
What does it mean?
Transparency – what personal data of mine do you have and what do you do with it.

Action:
Within the User Management Tool, an administrator can select end users and find all of the structured data for that user. In addition, all chats, login and session information, and calls can be retrieved.

Right: To access
What does it mean?
Right to receive a copy of the personal data.

Action:
Any of the information retrieved in the User Management Tool can be exported to Excel or PDF format.

Right: To rectification
What does it mean?
Right to request modification of the data.

Action:
Customer system administrators determine which fields in the profile an end user can edit via Self-Service. This provides end users with correct information within their own profile.

Right: To object to automated decision making
What does it mean?
Right to request human intervention, as an alternative to the automated process.

Action:
As with any ITSM tool, the natural life cycle of a ticket includes escalation and routing. In as such and with regard to this right, the customer should explain to the end user that ceasing automated decision making is, in effect, disabling use of the service.

Right: Of restriction
What does it mean?
Right to request a block of personal data processing.

Action:
The end user should be deactivated but not deleted. In this scenario, the user will stop receiving service in the system.

Right: To portability
What does it mean?
Right to receive data back for reuse, in usable electronic form.

Action:
The User Management Tool can be used to export the end user’s structured data to Excel or PDF format.

Right: To erasure
What does it mean?
Deletion of the subject’s personal data. Commonly referred to as the right to be forgotten.

Action:
Deleting an end user deletes the user’s structured data. However, the content of the interactions of the user still remains in the system.

To delete the content of these interactions, in accordance with the right to be forgotten, the administrator should filter the ticket list by the end user and delete them before deleting the actual user record.

For any questions, comments, or suggestions on the subject, please contact our Data Privacy Officer directly