The General Data Protection Regulation

In this topic, we provide an overview of the issue, and the product changes Autotask has implemented which will allow IT Service Providers to comply with GDPR.

Beginning May 25, 2018, European IT Service Providers, that is, Autotask and Autotask customers, will need to comply with the EU General Data Protection Regulation (GDPR, the "Regulation").

What is the General Data Protection Regulation?

This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data, and rules relating to the free movement of personal data.

The General Data Protection Regulation is intended to strengthen data protection for all individuals within the EU, by returning control over their personal data back to the individuals, and to unify the regulatory environment for international business.

You can read the full text of the Regulation here:

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (English Text)

Who does the regulation apply to?

The Regulation applies if either Autotask, the IT Service Provider, or the people whose personal data is stored in Autotask (resources of the service provider and client contacts) reside in the European Union or in any other place where Member State law applies by virtue of public international law.

Terminology

The General Data Protection Regulation uses specific terminology that is defined in Article 4 of the GDPR.

Below are some of the most important concepts, as they relate to Autotask.

Data Subject: An identified or identifiable natural person whose data is stored. In Autotask, data is stored about two groups of individuals:

Resources (users) - Employees or contractors of the service provider who have a user account in Autotask.
Customer contacts - Employees or contractors of a customer organization who may or may not have a client portal account.

The protections of the GDPR apply equally to both.

Personal data - Any information relating to a data subject, such as name, address, phone number, or IP address. In Autotask, personal data about resources is stored on the Resource page, personal data about customer contacts is stored on the Contact page.

Controller - The organization that determines the purposes and means of the processing of personal data. In this context, your local organization, the IT service provider is the Controller, because you are the ones who collect and utilize the data, and have selected Autotask as the means of processing.

Processor - The organization that processes personal data on behalf of the controller. In this context, Autotask is the Processor, because we provide the cloud-based infrastructure and applications where the data is stored.

Compliance

Compliance with the Regulation requires you, the Controller, to establish certain business practices, provide certain services and to respond to certain requests, and Autotask, the Processor, to provide the product features that enable you to do so.

EXAMPLE Here is an example:
The Regulation establishes the rights of data subjects to access their data, have incorrect data rectified and request the erasure of their personal data.

Customer Request	Autotask	Service Provider
Please provide me with a document that shows the personal data you have collected about our employees	Provides the export tools and reports that show all personal data collected for customer contacts	Performs the export or runs the report, and transmits it to the customer
Please update the title of [employee name] to "Implementation Manager"	n/a	Edits the contact information of the contact, as requested
[Employee name] no longer works for us. Please remove all personal data from your Autotask instance	Provides an "Erasure" feature that allows users with security level permissions to redact contact information	Redacts the contact information

Issues addressed in this release

Data transfer to a 3rd country

Personal data processed by the Autotask cloud application is liable to be transferred to or accessed from the United States, the United Kingdom, and other countries which are currently or will in the future be classified as non-Union (or "third") countries.

Under the Regulation, this is perfectly legal as long as the controller or processor has provided “appropriate safeguards”.

The details of these safeguards are listed in the Autotask Privacy Policy. Resources and client contacts must consent to both before they can access Autotask or the Client Portal, respectively.

Right of consent

One of the ways you can legally process a data subject's personal data is if he or she gave their unambiguous, informed consent to the data processing. To ensure compliance with the Regulation, Autotask has done the following:

We have updated our Privacy Policy to meet the specific requirements of the General Data Protection Regulation.

View privacy policy here: Portal Privacy Practices.

When this upgrade is released and the Privacy Prompts module is enabled (the default for European zones), users logging into Autotask and the Subcontractor Portal will be prompted to accept the Privacy Policy. They must accept the Privacy Policy before their landing page will open. Refer to Consenting to the Privacy Policy (European Union).
The Privacy Policy in particular spells out:
- What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
- What choices are available to you regarding the use of your data.
- The security procedures in place to protect the misuse of your information.
- How you can correct any inaccuracies in the information
A new Privacy Action History page tracks the date and time the user consented to both, as well as other privacy actions discussed below. Refer to Privacy Action History.
For easy access at all times, we are exposing a link to both documents on the About Autotask window in both Autotask and LiveMobile, and on the Client Portal User Profile page.

Right not to be contacted

The Regulation specifies that users must have a way to request that they no longer receive communication from the IT service provider.

Contacts were already able to refuse task and ticket notifications, opt out from surveys and unsubscribe from contact group emails. We have added a check box to the Notification Exclusions section on the Contact page, "Contact does not accept sales solicitations".

Checking and un-checking this box is recorded on the Privacy Action History page. You can export this page to prove to a customer that you have acted on their request.

A banner displays on the Contact, To-Do and the Opportunity pages when a contact has opted out.

IMPORTANT This does not outright prevent any specific notifications. You must adjust your business processes and refrain from contacting clients who have opted out.

Right of erasure

Under the Regulation, data subjects have the right to request that you erase any personal data when circumstances change (a user's employment ends or you lose a customer). In general, the Regulation favors the erasure of personal data as soon as keeping it is no longer necessary, whether or not the data subject requests erasure.

Autotask prevents the deletion of resources, once created, and it can be difficult (though not impossible) to delete customer contacts with a lot of links to tickets, to-dos, etc.

We have created a new Erase (Redact) feature that allows users with the required permissions to remove all identifying information from the Contact or Resource record.

When a Contact is erased, the following happens:

The contact is inactivated.
Client Portal access is inactivated.
The Client Portal username is cleared.
All system fields that are not required are cleared.
The first name and last name are changed to "Redacted Contact".
The contact photo is deleted.
All "Do Not Contact" settings are set to checked.

When a Resource is redacted, the following happens:

The resource is inactivated.
All fields on the General tab that are not required are cleared.
The first name and last name are changed to "Redacted Resource".
On the Security tab, the username is changed to "redacted[resourceid]".
The resource photo is deleted.

We have created a security level setting "Can erase (redact) Contacts". Users with this permission can redact contact information.

Right of access

The Regulation states that a data subject "should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals...".

This means that data subjects have the right to receive a copy of their personal data that is being processed. You can use the following reports:

Reports > CRM > Exports > Export Contacts
Reports > LiveReports Designer > System Reports > Contacts & Organizations > Contacts & Organizations

Also, with the release of version 2018.1, we will add the "Export in Import Format" option to the Contact Search page. This option will export all contact data including User-Defined Fields into CSV. It contains all data fields for the contact entity.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.