GDPR Compliance

Introduction

The GDPR (General Data Protection Regulation) is a comprehensive data protection law that came into effect on May 25, 2018. It replaced existing EU law to strengthen the protection of “personal data” and the rights of the individual. It’s a single set of rules which governs the processing and monitoring of EU data.

Verb’s understanding of this regulation is the EU’s attempt to provide better protection for EU citizens, and to allow EU citizens more control over their personal information while providing businesses a clearer environment within which to operate. This regulation affects the collection of personal data of an EU citizen who is residing in the EU. Organizations that own or manage personal data of EU citizens residing in the EU are defined by the GDPR as the Data Controllers. Vendors that the Data Controllers utilize to process or store data are generally defined as Data Processors.

Under the GDPR, Data Controllers are responsible for, and must be able to demonstrate compliance with, the principles relating to the processing of personal data. Data Processors are responsible for implementing technical and organizational measures that allow Data Controllers to comply with the regulation.

As an online learning and development platform, the GDPR applies to Verb as a Data Processor.

How Verb complies

The Verb team has put in place processes and data models that ensure legal obligations are met. These include:

Verb Platform

  1. Access: EU respondents can receive copies of their digital records when requested as well as a description of where they are stored, what they are being used for, and the opportunity to correct them. Users can access this on the Edit Profile page.
  2. Consent: EU respondents consent to the storage and use of their data. This means an explanation of usage is presented and an active action by the respondent must be taken. Users provide consent during the Verb sign up process.
  3. Data Portability: EU respondents can request the transmission of their data to another controller in a commonly used digital format. Users can request access to their data on the Edit Profile page and can transmit as needed.
  4. Right to be Forgotten: EU respondents can require their personal data be deleted and not shared.  Users can request access to their data on the Edit Profile page.

Processes

  1. Breach Notification: All customers (including EU citizens residing in the EU and EU authorities) will be notified within 72 hours of discovering a security breach impacting the personal data of such individuals.
  2. Secure and Private by Design: Security and privacy is a priority for Verb. We have data privacy controls and security built into products and systems to accommodate such measures.
  3. Data Protection Officers (DPO): Verb has appointed a DPO to oversee and advise the management of data. This individual is responsible for ensuring internal data protection policies are updated, staff training is conducted, and processing activities are documented.
  4. Sub-processors: Verb has confirmed that all sub-processors of data comply with GDPR. A list of sub-processors is available upon request.
  5. International data transfers: The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data. Verb is in the process of an E.U.-U.S. Privacy Shield certification.

More information about data

What data is stored

Verb stores only necessary information to allow users to have an account and to personalize the learning experience. Users have full access to keep their details accurate and up to date, ensuring that you meet your legal obligations as an employer and the Data Controller.

How data is stored

Verb stores all user data security and follows industry best practices to ensure that data is protected. Verb encrypts all data in transit and all processes are designed to provide the utmost security. Traffic between the Verb application layer, the API layer, and the data layer is encrypted using SSL/TLS.

Who has access to the data

Verb follows the principle of least privilege. Users, including Verb employees, are only granted the necessary access to perform their functions. New users are created upon signup and can delete or modify their accounts.

Access to Verb’s core infrastructure and databases is restricted to a subset of the engineering team. All access requires two-factor authentication.

.