About the General Data Protection Regulation (GDPR)

GDPR, or the General Data Protection Regulation, became effective on May 25, 2018. Simply put, EU citizens now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed of. GDPR clarifies how the EU personal data laws apply even beyond the borders of the EU. For more detailed information, visit the European Commission website.

Does GDPR apply to you?

Any organization that works with EU citizens’ personal data in any manner (irrespective of location) has obligations to protect the data under GDPR.

What you don't know, CAN hurt you

Penalties for non-compliance can be steep with fines up to 4% of revenue or €20 million, class action lawsuits, disruption to your business, brand damage and more.

Benefits of compliance

There are many positive business outcomes of compliance with GDPR including efficient data management, streamlined processes, transparency, security, better internal controls, risk reduction, long-term cost reduction, and updated technology.

How does SmartVault support you in complying with GDPR?

Contractual protection for using SmartVault as a Service Provider

Data controllers have a responsibility to ensure that their contracts with suppliers are adequate under the GDPR. The Supplemental Terms for Data Processing for the SmartVault Service, which are incorporated in the SmartVault Terms of Service by reference and by default, help ensure that all of our customers have the required level of contractual protection for their use of the SmartVault service under the GDPR.


Updated privacy policy in support of GDPR compliance

We’ve updated our Privacy Policy which describes in clear, concise language how we collect, use and disclose your personal information, and what rights you have with respect to the use of your information.


How does SmartVault comply with EU data export restrictions?

Like many SaaS providers, we use Amazon Web Services, a top tier third-party data hosting provider with servers located in the U.S. to host the SmartVault service.

Under the GDPR, the personal information of EU residents can only be transferred outside the EU in compliance with the conditions for transfer as set out in Chapter V (Articles 44-50) of the text. As detailed on this page of the European Commission website, the EU-U.S. Privacy Shield Framework has been formally afforded appropriate adequacy for data transfer to the US by the Commission in respect to GDPR.

SmartVault is certified under the EU-U.S. Privacy Shield Framework as detailed in our listing on the Privacy Shield website.


What features within the SmartVault services support compliance with GDPR requirements?

SmartVault provides industry standard security measures such as encryption, multi-factor authentication, access controls, and auditing to support compliance with GDPR rules.

GDPR Requires...SmartVault Responds...
Right to be Forgotten
Enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Your files stored in SmartVault are easily searchable, and based on the user’s permission level in SmartVault, can be deleted.
Right of Access
Individuals will have the right to obtain access to their personal data, so that they are aware of and can verify the lawfulness of the processing. Information must be provided within 30 days of request, free of charge.
When you use SmartVault as your single repository for all documents in your business, you can quickly respond to requests for data access. Instead of combing through network drives, memory sticks, local PCs, emails, paper files, etc., easily and quickly provide access to secure vaults that contain client information upon request.
Right to Data Portability
Individuals can move, copy or transfer personal data easily and securely from one IT environment to another.
SmartVault does not bear ownership of our customers’ documents. Based on user permissions, entire folders as well as individual documents can be removed from the SmartVault platform.
Data Integrity & Secure Transmission of Data
Data must be confidentially and securely processed by your data system. Only authorized individuals should have access to the data consented to.
All interactions with SmartVault occur over an encrypted channel. We employ SSL to protect your documents, passwords, and interactions with SmartVault from eavesdropping. SmartVault encrypts your documents and all information stored in our databases at rest. The data is encrypted using AES-256. More details can be found in our Security Overview >>

Use the principle of least privilege when setting up users in your SmartVault account. User permissions allow you to select which vaults and folders each employee and client has access to.
Full Document & Workflow Audit
Fully document how data is processed and transferred and for what reasons you have to do so. Document who has access to the data at each stage of processing and transfer.
SmartVault is designed to allow access to documents via authenticated logins. In other words, documents stored in SmartVault are only accessible if you log into the service or share the documents with another individual that must log into the service.

SmartVault employs an Activity Log that you can use to review:

- Who has been granted permissions to access documents

- Who has actually accessed documents and what action was performed (upload, download, deleted or changed the properties of any document)

In Summary

GDPR wants you to think about privacy and data protection from the beginning, not as a bolted-on after-thought. Documenting your workflows is the first step to build privacy into your everyday business operations. Choose technology that supports streamlined, secure workflows for your business and create internal controls and processes to maintain the utmost security posture. This is commonly known as Privacy by Design, and includes:

  • Limit Data: Only collect what is necessary.
  • Limit Processing: Only process data for the purpose that it was collected for.
  • Limit Access: Only authorized individuals should be able to access data.
  • Impact Assessment: Conduct assessments for personal data that is high risk to individuals.
  • Keep Reviewing: Keep checking the confidentiality, availability & resilience of your systems.
  • Record Keeping: Note processing, data categories, erasure time, and storage locations.

About SmartVault

SmartVault adds value to your workflow by giving you the ability to store all of your files securely online, access documents when you need them, and safely share files with the right people. It’s easy for you to use with features specifically designed to automate workflow and meet compliance mandates. Learn more in our Security Overview >>