GDPR - What Zoho is doing about it
Zoho has always honored its users’ rights to data privacy and protection. Over the years, they have demonstrated their commitment to this by consistently exceeding industry standards. Zoho have no need to collect and process users’ personal information beyond what is required for the functioning of our products, and this will never change. Zoho has a privacy-conscious culture here and GDPR is an opportunity for us to strengthen this even further.
Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.
What is GDPR?
GDPR is an EU-wide privacy and data protection law that regulates how EU residents' data is protected by companies and enhances the control the EU residents have, over their personal data.
The GDPR is relevant to any globally operating company and not just the EU-based businesses and EU residents. Our customers’ data is important irrespective of where they are located, which is why we have implemented GDPR controls as our baseline standard for all our operations worldwide. GDPR has taken effect from 25th May 2018.
What is personal data?
Any data that relates to an identifiable or identified individual. GDPR covers a broad spectrum of information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data extends beyond a person’s name or email address. Some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation, and ethnicity.
How prepared is Zoho for GDPR?
Zoho has acted on many fronts to adhere to this new regulation.
- Zoho has raised awareness across the organisation through frequent discussions in their internal channels, and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.
- Zoho has assessed all Zoho products, individually, against the requirements of the GDPR and have implemented new features that will give you more control over your data and ease your burden of achieving GDPR compliance.
- Zoho has constituted an Information Asset Register(IAR), which includes information on all the roles Zoho assumes, such as a data controller and processor. It details on various categories of personal data processed by our organization and which department is getting access to which data and for what purpose. It has a comprehensive coverage of all our processes and procedures.
- Zoho has assessed their sub-processors (third party service providers, partners) and streamlined the contract process with them to ensure that they have addressed the pressing needs of the current security and privacy world.
- Zoho has appointed internal privacy champions for all their teams. We have also appointed a Data Protection Officer (DPO).
- The Zoho application teams have embraced the concept of privacy by design and have provided you more control over the data you store in our systems. These provisions may vary based on a product’s characteristics and domain. Zoho constantly endeavour to provide you with more enhancements, which shall be rolled out in phases.
- Zoho has amended their Data Processing Addendum (based on Model Contractual Clauses) to be compliant with the data processing requirements of GDPR.
- If you are the organization administrator and would like to sign a DPA with Zoho, they've made it available to be signed electronically in a few easy steps. If you've signed up in our US datacenter, click here to view the DPA. To initiate the signing process, click here.
- If you've signed up in our EU datacenter, click here to view the DPA. To initiate the signing process, click here.
- Zoho conducted Data Protection Impact Assessments (DPIA). Based on the results, we have put in place appropriate controls on data processing and management.
- Zoho conducted internal audits of our products, processes, operations, and management. The findings were communicated to our teams, who have worked out the solutions to the identified problems.
- Based on the DPIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks. We have developed in-house tools for better governance and discovery of data.
- We have cleaned up our databases to ensure that we have only the latest and most accurate information. This cleanup process includes removing terminated and dormant accounts as per our Terms of Service.
- When needed, breach notifications will be done according to the internal Privacy Incident Response policy. Customers will be notified of a breach within 72 hours after Zoho becomes aware of it. For general incidents, Zoho will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organisation, Zoho will notify the concerned party through email (using their primary email address).