Data Protection and GDPR Policy

The GDPR law grants the public increased rights and imposes rules on how data must be handled.

Good-Loop supports the GDPR. This policy document covers how Good-Loop handles the GDPR.

Hosting

Good-Loop services are hosted within the EU, and comply with GDPR regulations.

Process around Data Issues

Clients can contact Support with data and GDPR issues. We will provide support and help.

Data Security

Good-Loop stores all data on secure servers. Please see our Security Policy for more details.

If you suspect a data breach, you must notify Good-Loop support straight away. The GDPR places legal obligations on handling data breaches, including time limits for responding.

If we suspect a data breach we will notify you within 24 hours. We would then work with you to identify the scope of the breach and take remedial action.

Good-Loop has not had a data breach in it's history.

Rights of the Data Subject

Individuals ("data subjects") can contact a Good-Loop client with various requests. The client should lead the response to a data subject request, with the Good-Loop support team available to help clients handle these.

Right to be Informed

It is unlikely that this applies.

Right of Access

Good-Loop supports filtering by individual including by mentions. This makes it straightforward to respond to a request for data.

Right to Correct Data

Our data-subject data is sourced from external sites. The data subject can update their profile on Twitter or Facebook, and Good-Loop will automatically update with the correction.

Right to Erasure (right to be forgotten)

Please contact the support team, who can erase the data from the system. As this is not reversible, the support team should first verify the range of data to be deleted.

Erased data will instantly vanish from front-end use. It will take one month for all data to be removed from the system.

Right to Data Portability

Usually this right is satisfied by the social media networks from which Good-Loop draws data. However, it is also easy to extract data from Good-Loop in .csv form, in order to provide portable data should a data subject require it.

Automated Decision-Making

We do not recommend using Good-Loop for automated decision-making about a person that has legal or similar significant effects for that person. We are not aware of any clients who do so. If you should wish to do so, please check GDPR regulations.

GDPR Article 28 Compliance Checklist

Good-Loop acts as a Data Processor for its clients. We support the aims of the GDPR and we fully accept our responsibilities as a Data Processor. In order to comply with the requirements of Article 28 of the GDPR:

  • As a Data Processor, we will only act on the instructions of the Data Controller (unless required by law to act without such instructions).
  • All people processing the data within our organisation, whether they are staff or contractors, agree to confidentiality clauses.
  • We take data security seriously, and take appropriate measures to ensure the security of processing (please see our security policy for more detail).
  • We will only engage a sub-processor with the prior consent of the Data Controller and with a written contract.
  • We will assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
  • We will assist the Data Controller in meeting its GDPR obligations in relation to the security of processing (Article 32 GDPR), the notification of personal data breaches (Article 33 GDPR), and data protection impact assessments (Article 35 GDPR).
  • We will delete or return all personal data to the Data Controller as requested at the end of the contract.
  • We agree to reasonable audits and inspections, and to provide the Data Controller with whatever information it needs to ensure that we are both meeting Article 28 obligations.
  • We will tell the controller immediately if asked to do something infringing the GDPR or other data protection law of the EU or a member state.

See also

Please also see the following relevant policies:

  • Access Control Policy
  • Security Policy