Since the implementation of GDPR, privacy has been a hot topic. But privacy has always been a big deal at Streamtime.
Click here for a 'post Schrems' update.
Firstly, What is GDPR, and How Does it Affect You?
The EU General Data Protection Regulation ("GDPR") is a new-ish comprehensive data protection law that came into effect on May 25, 2018. It replaced the existing EU Data Protection law to strengthen the protection of "personal data" and the rights of the individual. The EU GDPR has also been incorporated into UK Law post Brexit.
Companies must now disclose what data they collect, why they collect it, how they store and process it, and most importantly, who they share it with. They also must ensure that anyone they share their data with is GDPR compliant.
So What Is Streamtime Doing to Protect Your Privacy?
Documentation
We have formalised our internal processes by creating documentation easily accessible by every staff member. Areas covered include - data breach procedure, subject access request procedure and data security policy.
Privacy Notices
You know the thing that you always say you read...but don't. We reviewed our privacy policy and made it as human as possible, clearly detailing the information we collect and its use. Check out Paddy's masterpiece.
Security (current Streamtime product)
Streamtime has been built with privacy in mind, so we were chuffed to be given a 'clean bill of health' after a recent checkup (third-party security review). We listened to their recommendations on cleaning up our lifestyle and are now healthier than ever.
Security (Classic - FileMaker Based Clients - Purchased pre-2016)
Our Classic product, built on the FileMaker platform (no longer on our menu), has been our major focus.
We have identified a specific subset of companies using Streamtime Classic in a certain way (self-hosted with users connecting to their servers from outside the office) where extra security in the form of SSL certificates is recommended. This information was included in an email to all existing users.
Transparency
We have tried to be transparent with our clients regarding business goals, where we are heading and the reasoning behind certain business decisions. The steps outlined in this article allow us to expand our transparency to personal data and our privacy processes - the more transparent we can be, the better.
The same applies to your data. If you would like a copy of the data we hold on you, would like it deleted, or have any questions, please contact us.
Update - Post Schrems II Ruling
Streamtime rely on Standard Contractual Clauses (SCC’s), which were validated in the Schrems II ruling as outlined by the CJEU (Court of Justice of the European Union) to allow the use of AWS services when transferring customer data from Europe to countries outside the EEA who have not yet received an adequacy decision from the European Commission (in our specific case the USA). The data transfer relies on the 'Transfers subject to appropriate safeguards' transfer tool.
Key points for Streamtime's GDPR compliance post Schrems II ruling:
The Schrems II ruling in July 2020 invalidated the EU-US Privacy Shield mechanism to transfer personal data from the EEA to the US.
In that same ruling, the CJEU (Court of Justice of the European Union) confirmed that companies can (subject to implementing supplementary measures, if required) continue to use Standard Contractual Clauses as a valid mechanism for transferring personal data outside of the EEA.
The AWS Service Terms include the SCCs adopted by the European Commission (EC) in June 2021, and the AWS GDPR DPA confirms that the SCCs will apply automatically whenever an AWS customer uses AWS services to transfer customer data to countries outside of the European Economic Area that have not received an adequacy decision from the EC (third countries). As part of the AWS Service Terms, the new SCCs will apply automatically whenever a customer uses AWS services to transfer customer data to third countries. Customers can therefore be comfortable that any customer data they transfer to third countries using AWS services has the same high level of protection that customer data receives in the EEA.
Streamtime Software take data security extremely seriously. Our most recent DevOps project ensured we are using the industry standard AES-256 encryption algorithm to encrypt data on our servers. Data is encrypted in transit due to our https certificates which encrypts data from a users machine the entire way to our database and vice versa. Additionally, we absolutely limit the data we store to that in which we must have. eg. We do not store client credit card information anywhere in our environments.
Additional to the above SCC's which we believe ensure our current compliance, on the 13th December 2022, the European Commission released a draft adequacy decision that concluded the US legal framework offers comparable safeguards to those of the EU and ensures an adequate level of protection for personal data transferred from the EU to US companies. The draft adequacy decision now sits with the European Data Proection Board (EDPB) to make a decision, then pass to the Commission. Once completed, the Commission can proceed to adopting the final adequacy decision. This decision being formalised would then allow us to transfer data on the basis of an adequacy decision as well as the SCC's we are currently relying on.