General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

We’re committed to partnering with Onit customers and users to help them understand and prepare for the General Data Protection Regulation (GDPR), which replaces the 1995 EU Data Protection Directive. The GDPR is the most comprehensive EU data privacy law in decades, and will go into effect on May 25, 2018. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

You can count on the fact that Onit is committed to GDPR compliance across Onit services. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts over the years.

On this page, we’ll explain our methods and plans to achieve GDPR compliance, both for ourselves and for our customers.

  1. Preparing for the GDPR
  2. Our Security Infrastructure and Certifications
  3. International Data Transfers: Privacy Shield
  4. What Are Your Responsibilities as a Customer?
  5. Where Should You Start?
  6. Data Portability Solutions and Data Management Tools
  7. Data Protection Team
  8. Incident Notifications
  9. Stay Updated

Preparing for the GDPR

The GDPR’s updated requirements are significant and our global team is working diligently to bring Onit’s product offerings and contractual commitments in line so customers can prepare themselves before May 25, 2018. Measures to achieve this include:

  • Continuing to invest in our security infrastructure
  • Making sure we have the appropriate contractual terms in place
  • Supporting international data transfers by maintaining our Privacy Shield self-certifications, and by executing additional agreements as required
  • Product offerings that include new tools for data portability and data management
  • We’ll also continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies, and will adjust our plans accordingly if it changes. We’ll provide you with regular updates along the way so that you’re always current.

Our Security Infrastructure and Certifications

Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security. Onit maintains SSAE 16 SOC 2 Type 2 and HIPAA Compliance Certifications that are updated annually.

Onit has invested heavily in building a robust security team, one that can handle a variety of issues — everything from threat detection to building new tools. In accordance with GDPR requirements around security incident notifications, Onit will continue to meet its obligations and offer contractual assurances.

If you’d like to learn more about Onit’s security policies and procedures, please see our security page. It provides detailed information on how we approach security.

International Data Transfers: Privacy Shield

To comply with E.U. data protection laws around international data transfer mechanisms, we self-certify under the E.U.-U.S. Privacy Shield. This framework was developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union to the United States.

What Are Your Responsibilities as a Customer?

Onit customers will typically act as the data controller for any personal data they (or their vendors) provide to Onit in connection with their use of Onit’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Onit is a data processor and processes personal data on behalf of the data controller when the controller is using the Onit Platform or BillingPoint.

Data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).

You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.

Where Should You Start?

As a customer of Onit, now is a great time for you to begin preparing for the GDPR. Consider these tips:

  • Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
  • Consider creating an updated inventory of personal data that you handle.
  • Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
  • Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.

Data Portability Solutions and Data Management Tools

Customers have requested tools to help them comply with the GDPR. And we’re happy to say that we’ve built those tools.

Data controllers can use the Onit Platform administrative consoles and services functionality to help access, rectify, restrict the processing of, or delete any data that they and their users put into our systems. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.

  • Administrators can export customer data, via the functionality of the Onit services, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we will continue offering those after the GDPR comes into force, and working to enhance the robustness of the data export capabilities of the Onit Platform.
  • Administrators can also delete data, via the functionality of the Onit services, at any time. Once data is deleted the data may be recovered for up to 45 days.

Compliance-related tools include the following:

  • Export tools – businesses and organizations may access and export their Customer Data, including documents and metadata.
  • Onit advanced designer –  your organization’s settings around ability to delete and other controls, or contact an admin who is your organization’s main administrator.

Data Protection Team

Onit has a team dedicated to data protection where data protection related enquiries can be directed ([email protected]).

Incident Notifications

Onit has provided contractual commitments around incident notification for many years. We will continue to promptly inform you of incidents involving your data in line with the data incident terms in our current agreements and the updated terms that will apply starting on May 25, 2018, when the GDPR comes into force.

Stay Updated

Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Onit can help you with compliance, we hope you’ll reach out to us.