As of 25 May 2018, all organisations working with the personal data of EU citizens will have to comply with the General Data Protection Regulation (GDPR). Therefore, we are pleased to announce that 8x8 will be fully compliant with the GDPR.
1. 8x8’s GDPR commitment
As a cloud communications provider, 8x8 manages the personal data on behalf of our customers. These data include mobile phone numbers, text message bodies that may contain sensitive information, user IDs and IP addresses to ensure the successful delivery of communications. We also manage commercial data concerning our customers and personal data of our employees.
As we continue to grow and scale up our platform, our commitment to data privacy and security still stands as our key priority. 8x8 sees the GDPR as an opportunity to carry out an extensive review of our internal workflows, data processes and security terms to ensure all personal data are indeed secured and compliant.
2. What 8x8 is doing for GDPR
8x8 strives to make this compliance easier for our vendors and suppliers whilst ensuring all EU and international personal data are kept secured. Here’s how 8x8 is GDPR-compliant and how we are working towards being GDPR-ready for our future product changes:
a. Data Protection Team established:
- A Data Protection Team consisting of our Legal, Product, and IT departments is in place to ensure that we are always compliant with the GDPR
- Team members of 8x8 are well-trained and compliant with our internal personal data protection policy (defined by the Data Protection Team)
b. Updated terms:
- 8x8 contract templates and website terms have been revised and made GDPR-compliant
- Should customers require a Data Protection Agreement established, 8x8 will comply accordingly
- All 8x8 suppliers are required to sign our Data Protection Agreement to ensure compliance with the GDPR
c. Adapt our products:
- We are mapping all microservices, databases accessing and storing personal data, ensuring that their accesses are secured and logged, and that retention period is limited to the strict minimum necessary, and never longer than 6 months
- By default, the last 4 digits of phone numbers and all SMS message bodies that resides in our database will be redacted after 6 months from their created date
- Upon any customer’s request, we can immediately redact phone numbers and remove message bodies from our long-term storage databases. However, if this is done so, it will be harder to debug or solve billing disputes
- We will comply promptly with any request of deletion, modification, or extraction of personal data
- We are logging all actions in our Customer Portal allowing to access personal data to be able to track breaches
- We are encrypting all personal data in our platform for additional security so that it is unreadable even if accesses are breached
- We have implemented the “Data Protection by Design” principle for all new products and features that we develop
d. Stricter access control:
We will also implement stricter access control, where only authorised employees and systems can access personal data.
If you do not find the information you need, you may speak to your 8x8’s account manager, or reach out to us at firstname.lastname@example.org.