General Data Protection Policy (GDPR)
The European General Data Protection Regulation (GDPR) is not something that should be ignored for customers that are based in Europe, but with Dance Studio Manager (DSM), we have taken additional steps to make sure that we are in compliance with regulations, as well as make sure our customers can do the same. It is important to recognize that even if you are not based in the EU, but you are storing data in your DSM about an EU citizen, you still could be help held liable, so let’s take a look at few important points.
Personally Identifiable Information (PII)
As a customer of DSM who is paying the monthly subscription fee, and/or administering your studio with our software, you are considered a “Data Controller” as defined by the GDPR, which means you are obligated to remove personally identifiable information from your DSM upon request, except in the case you have a legal reason not to do so. For example, perhaps there is a pending legal matter involving the client in question. Of course, in such cases you should consult with your attorney.
If you get a request for removal of personal data by a European citizen, you should login to your DSM and locate their account, and then edit the PII, including their name, email, phone number, street address, as well as other information that might allow this person to be identified. It would be understandable if you simple edit these fields to something else, as you may require financial data to remain so that you can still balance your books!
Data Retention Policy
In order to maintain the integrity of our data, and our infrastructure, we maintain multiple copied of data for over one month at a separate data center. In the case of a natural disaster, such that the data center that serves DSM to the internet were completely destroyed, we maintain multiple complete backups of the data, so that we could fully restore data and services to all DSM customers quickly. However, we only store the data for a limited time, thus complying with the GDPR.
Additionally, we store the IP addresses in security log files for everyone that logs into DSM, and it can be used for the purposes of performing security analysis in the event of security incident or data breach. Once again, we do not store this data extended period of time. It is automatically removed at regular intervals.
We have conducted meetings with all of our employees to make sure that they are operating their computers with utmost attention to security, including running up to date antvirus software, connecting to services securely, storing passwords properly, and of course not storing data locally beyond the constraints provided by the GDPR.
Data Breach Notification
As a Data Controller, you also must also audit your own business and make you are also not storing personal information or your computer. And of course, you should make sure also are thoughtful of the “best practices” in maintaining any computers that access DSM data. Please remember that we do offer the facility in DSM to download a database backup, so if you are storing that on your PC, you might want to consider transferring it to a physical media such as a zip drive that is not connected to the internet. If you suspect a data breach of any kind, please notify us immediately. If you need help securing your DSM, such as changing passwords, we are always happy to assist.
Since we started DSM in 2005, we are not aware of a single data breach. We have excellent support from the data centers for which we host DSM, and they have personnel working 24 hours per day, 365 days per year monitoring their infrastructure, and assisting in any incidents. Should we ever become aware of a data breech we will notify you quickly, and in the event customer data was compromised, you as a data controller would be responsible for helping to notify customers.
Storage of Credit Card Data
We do not store any credit card or banking data on our servers. Our merchant service providers store this information, and you can certainly check with them directly regarding such questions.
While the GDPR can seem a little daunting at first, it is in the spirit of making sure everyone does their part in maintaining a sense of security with regard to customer data, as well allowing people the right to request others stop using their personal data. We of course want to all we can to support security and privacy and appreciate our customers (AKA Data Controllers in GDPR terms) are thoughtful of the role they play as well. Thank for your participation and support!