General Data Protection Regulation (GDPR) FAQ
Introduction
The EU General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC with effect from 25th May 2018. It is designed to unify data privacy laws across Europe, to protect EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
What is Talis doing about GDPR?
Talis has a project in place to ensure we are compliant with GDPR. This project includes changes to documentation, contracts, policies, our products and internal staff training.
We will keep you updated via the table below that details our progress:
| Task | Status |
| Apply for and complete Cyber Essentials certification, as a precursor to GDPR compliance and internal policies | Complete |
| Commission an external audit with an appropriate consultancy company on the action needed to become GDPR compliant | Complete |
| GDPR becomes a permanent topic on monthly board meetings and management team reviews | Complete |
| Document all user data flows, ensure these are compliant with the principles laid down by GDPR | Complete |
| Rewrite our privacy policy, make any changes required to customer contracts | Complete |
| Audit all of our 3rd party systems and suppliers to make sure they are GDPR compliant, where applicable | Complete |
| Retrain all staff with regard to GDPR awareness and compliance | Complete |
| Implement any necessary changes to product functionality | In progress |
| Announce the mechanism by which Talis will provide to help customers comply with requests to comply with rights for individuals | Complete, see below |
How does Talis process our users’ personal data?
We have prepared this document detailing how Talis processes your users’ data
Where does Talis store data?
Our data centres are within the EU, and our principal storage of personal data occurs within the EU. However, some auxiliary data, which is now considered personal data under the GDPR (for example, IP address or other opaque user identifiers) is shared with 3rd parties we engage who may operate data centres outside of the EU.
Talis undertakes to ensure all its suppliers comply with GDPR.
What security measures does Talis take to protect data?
Talis take a number of security measures to protect data:
- Talis is accredited via the Cyber Essentials scheme
- Our products are delivered to users via HTTPS
- Our data centres are CAS, ISO9001, ISO27001, ISO27018 and SOC1 through 3 compliant
- Server access is secured by encrypted keys, 2FA and hardened firewall
- Regular black box and white box security audits performed by an independent 3rd party
- Employees’ laptops are hardened and disk encrypted where required, we periodically re-audit these arrangements to make sure they remain in place, and offer appropriate training to new starters.
What does this mean for non-EU customers?
Whilst non-EU customers and users are not directly affected by GDPR, the requirements and obligations on Talis affect the processing of all personal data since all processing takes place within the EU. In general terms GDPR only enhances the security and privacy of personal data for non-EU users.
Talis operates to ensure compliance with its privacy and personal data obligations in all relevant territories and will continue to do so.
How do I notify Talis if I receive a request from a data subject?
If you require help complying with a request from a data subject in relation to our products and the rights granted under the GDPR (the right to be informed, right of access, right to rectification, erasure, restricted processing, data portability or to object or in relation to automated decision making and profiling) then please forward details of the request to data.protection@talis.com.
Any other questions?
If you have a question about GDPR, ask us by emailing data.protection@talis.com.
