KORE Software & GDPR

KORE Software's General Data Protection Regulation Program


This page contains the latest information related to KORE Software and the EU General Data Protection Regulation. The new regulations affect businesses of all sizes and KORE is committed to ensuring our customers have the right information and tools to protect their customers data.

General Data Protection Regulation

Overview

The EU's General Data Protection Regulation is a replacement for the 1995 Data Protection Directive and applies to all EU citizens. It is focused on

The regulations take effect on May 25th, 2018 and expand on the Data Protection Directive from 1995.

The full GDPR text can be found here

Data Subject Rights

Right to be Forgotten and Data Portability

Right to be Forgotten and Right to Data Portability allow data subjects to:

  • Have their personal data removed from a controller and any downstream systems
  • Demand a copy of their personal data in a common format
These rights make it easier for users to demand that they be completely removed from a system. As a controller, these requests will be made to you and you will be required to notify all downstream systems, including KORE.

To notify KORE of a data request, you should reach out to your Customer Success representative to faciliate the data removal or transer. KORE will not notify systems that are downstream of KORE (eg. Data Integrations). The controller is required to notify these systems.


Access

The GDPR builds on previously existing data access rights. Data subjects are still able to request access to their data, however now organizations cannot charge for processing an access request unless required, excessive cost it can be demonstrated. Access requests must now be processed within 30 days and can only be refused if the organization has clear refusal policies and can demonstrate why the request meets those policies.


Consent

While consent of data subjects is already required, the GDPR increases the standards for disclosure when obtaining consent to process or store personal information. The GDPR states that controllers must use "clear and plain" legal language that is "clearly distinguishable from other matters". It also states that any consent must be "freely given, specific, informed and unambiguous". This closes the door for "opt-out" systems or inferred consent.

KORE's products are not end-user facing and do not allow users to input their information directly. However, as a controller, you will need to put processes in place to prevent unauthorized data from being entered into your KORE system. Under the GDPR, it is essential to make it clear to your users that they are opting in to sharing their data.

Scope and Penalties

Expansion of Scope

The GDPR expands the scope of the 1995 EU Data Protection Directive significantly. Under the GDPR, non-EU businesses who store EU data subject records are included in all requirements and restrictions. This removes any previous existing geographical limitations of scope.


Penalties

The penalties outlined in the GDPR are dependant on the type of violation in question and can apply to both controllers and processors who mishandle personal data or violate the rights of data subjects. The fines can be the greater of up to 20 million Euros or 4% of the organizations global annual revenue.

GDPR and KORE Software

As a customer using KORE's Software-as-a-Service products, it is likely that you have data that will fall under the GDPR. KORE is able to offer assistance in understanding the data you have stored, but it is essential that you do an evaluation of any personal identifiable information in your system.

As May 25th, 2018 approaches, KORE Software is actively working on our GDPR compliance efforts. We are closely monitoring legal discussions, new requirements and new restrictions and will develop the necessary systems to handle personal data in a compliant way. This page will be updated as KORE's program and GDPR requirements come into effect.


CRM Systems

CRM systems, including Microsoft Dynamics, Salesforce or SAP Cloud for Customer, are not part of KORE's product lines. However, KORE ProSports does synchronize data with CRM systems and data that is removed from CRM systems will be removed from KORE ProSports.

It is recommended that you review your CRM agreements for GDPR compliance:


Data Integrations

KORE enables and manages many integrations with 3rd party data sources. Most of these involve importing data into KORE's systems. While KORE can assist Controllers with understanding the data in their KORE system, KORE cannot control the data in 3rd party systems. In order to prevent specific user data from existing in your KORE system, you will need to both remove the data from KORE and from the source system to prevent it being re-imported by an integration.


KORE Data Warehouse and Analytics

For KORE DWA customers, it is essential to understand the various data sources that are aggregated into your data warehouse and which source contains personal data. KORE will work with you to handle and data requests but cannot control the data in 3rd party systems.

Key Terminology

All official terminology can be found in Article 4 of the GDPR. Summarized here are key terms in plain text that are essential for understanding how KORE and KORE's clients are working with the GDPR.

Personal Data

Any data that can identify an individual data subject including name, address, IP address, health information and other data points.

Data Subject

A person who is within the borders of the EU at the time of processing their personal data or resides in the EU. The GDPR explicitly avoids the term "citizen" or "resident" and uses "data subjects" and "natural persons".

At the time of this article being written, there is ongoing debate about who exactly the GDPR applies to. To cover all bases, it can be assumed that it covers:
  • Any citizen of the EU
  • Any resident of the EU
  • Anyone currently in the EU

Processor

An organization that assists a controller by processing data as instructed by the controller. The processor does not make decisions around how the data is used. When using KORE's Software-as-a-Service products, KORE Software is a Processor. KORE does not control how your data is collected or used. KORE does process the data on your behalf.

Controller

An organization that stores people's personal data and determines how that data is used. When using KORE's Software-as-a-Service product's your organization is the controller as the data belongs to your organization.

Frequently Asked Questions


Does GDPR require that data be stored in the EU?

No. There is no requirement in the GDPR for data to be stored within the EU and there are no changes to the rules around transfer of personal data outside the EU. The goal of the GDPR is to ensure that personal data is "adequately protected". If data is, it can be transfered outside of the EU.

As a processor, KORE has systems in place to protect all data stored within KORE's eco-system. In cases where data leaves KORE's eco-system (data extracts, outgoing integrations), KORE cannot assure the protection of data.

Is double opt-in mandatory under the GDPR?

No. Double opt-in is a requirement that has people confirm their e-mail address after their initial sign-up. This is not required under the GDPR.

How is Brexit impacting GDPR compliance?

The UK currently has a bill that is under draft in the UK Parliament called the Data Protection Act and is in-line with the GDPR. It is expected that this act will be in effect prior to the Brexit deadline of March 2019.

It is recommended that UK based businesses make efforts to be compliant with DPA in the same way they would to be compliant the GDPR. The act is still a draft so there may be changes as it is revised so we recommend monitoring any developments in the UK parliament.

Where can I find more information?

  • The full GDPR text can be found here

  • The EU has an independent data protection authority known as the "European Data Protection Supervisor". More information can be found here

Disclaimer: This website provides information about GDPR but is not legal advice for your company to use in complying with EU data privacy laws. This is background information on how KORE is addressing some privacy concerns brought up by GDPR. For official legal advice, KORE Software recommends you consult a data privacy attorney.