The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA) to give users more control over their personal data.

The SummitAI application complies to GDPR rules. Under GDPR regulations, the users need to provide their consent to allow other users to view their personal data. After the user acceptance, the personal data will be stored in the SummitAI application in an encrypted form. The following fields are considered as personal data, encrypted, and stored: Joining Date, E-mail ID, Login ID, Country, Address, Contact Number, Mobile Number, State, City, Pin, and Role. If any of these fields are blank, data for the blank fields will not be encrypted and stored.

Note:

GDPR is not enabled on the SummitAI Application by default. The organizations need to contact the SummitAI Support team to enable GDPR on their instance of Application. For more information about enabling/dsiabling GDPR, impact of enabling/disabling GDPR on users and Application, and limitations, see Enabling GDPR and Disabling GDPR.
GDPR is supported only for an individual application connecting to a single Database model. It is not supported for an MSP scenario, where multi-Tenancy is setup to store each Tenant information stored in a different DB.

Example:
ACME is an MSP providing IT services to APEX and CREST in a multi-tenant configuration. To maintain data isolation, information about each of these Tenant is stored in a separate DB connecting to a single application. In this model, GDPR feature cannot be enabled.

A new GDPR CONFIGURATION page (Admin > Advanced > GDPR > GDPR Configuration) is added in the SummitAI web application. On the GDPR CONFIGURATION page, the following sections and tabs are added:

There will be an Application downtime on disabling GDPR. The downtime depends upon the amount of user data in the Application.

Under the LOCATION MAPPING tab, the Administrators can enable GDPR only for a selected location by specifying the Domain and Location. Location is dependent on the selection of Domain.

The following scenarios describe the Location mapping:

If GDPR is enabled and Location is mapped, then GDPR is enabled for the users of the mapped Location. If the user is not mapped to any location, then GDPR is not applicable.
If no Location is mapped and GDPR is enabled, then GDPR is enabled for all the users of the Application.
If GDPR is enabled and only one Location is mapped, and then that Location is made inactive, then GDPR is not applicable for users from any Location.

Under the ADMIN MAPPING tab, the Administrators can be added. The Added Administrators will be notified upon accepting or declining GDPR.

Note:

After GDPR is enabled, it it required to configure at least one user as an Administrator under the ADMIN MAPPING tab.

Under the MESSAGES tab, the Administrators can select any pop-up message (GDPR Acceptance, GDPR Re-acceptance, Enabling/Disabling GDPR) related to GDPR and edit the Title and content of the selected Message.

Note:

While editing the message displayed on the GDPR Re-acceptance pop-up window, if you remove the ##DeclinedOn## keyword, the last date and time when GDPR was declined, is not displayed.

Figure: GDPR CONFIGURATION Page

For more information about configuring GDPR, see Configuring GDPR.

To enable GDPR, please contact the SummitAI Support Team.

Figure: GDPR End User Flow

Following are the steps to accept or decline the GDPR CONSENT FORM:

After user Sign-in in web application, if GDPR is enabled, you are redirected to the GDPR CONSENT FORM. Accepting this consent by clicking the ACCEPT button is considered that you are agreeing to display your personal data to the Analysts and Administrators of the SummitAI application.

Figure: GDPR CONSENT FORM
The following pop-up window with a confirmation message is displayed, when you click ACCEPT button.
Figure: GDPR CONSENT FORM - ACCEPT pop-up window
If you click OK on the GDPR Consent Form - ACCEPT pop-up window, you are redirected to the home page of the SummitAI application. Below mail will be sent to user. If you click Cancel, the control remains in the GDPR CONSENT FORM screen.
If you click DECLINE on the GDPR CONSENT FORM, your personal data will be wiped out from the SummitAI database records. The following pop-up window with a confirmation message is displayed, when you click DECLINE.

Figure: GDPR Consent Form - DECLINE pop-up window
If you click OK, on the GDPR Consent Form - DECLINE pop-window, you will not be able to use the SummitAI application anymore. The next time you try to use the Application, you will receive the GDPR Consent Form pop-up again. Click ACCEPT to allow displaying of your personal data and continue to use the Application. Below mail will be sent to user and administrator.
If the user tries to log in to the SummitAI application after declining the GDPR CONSENT FORM, the pop-up window given below is displayed.

Figure: GDPR Consent Form Declined - Accept Now?
If you click OK on the GDPR Consent Form Declined - Accept Now? pop-up window, you will be redirected to the GDPR CONSENT FORM. If you click Cancel, you will be logged out of the SummitAI application. The below mail will be sent to user.

If GDPR is enabled, the users will receive a GDPR Consent Form to accept or decline to display their personal data in the Application. If they accept, the user personal data is encrypted and stored in the SummitAI database, and the users can continue to use the Application. If the users decline to display their personal data, their personal data is wiped out from the Application and they can no longer use the Application. They can try to access the Application again, however, they must accept the GDPR Consent Form to use the Application.

Note:

When the user clicks DECLINE, apart from the configured details, all other user information is cleared from the SummitAI Database using the following key: "GDPR_RetainColumns".

By using the above key the required column inputs can be retained.

By default, the columns frm_UID and NT_UID are retained. In case more columns required to be retained, please contact the SummitAI Implementation Team.

When the user tries to log into the SummitAI application after declining the GDPR CONSENT FORM, a message informing that the user had previously declined the GDPR CONSENT FORM is displayed on a pop-up window. If the user clicks Yes, the user gets the GDPR CONSENT FORM. If the user clicks No, the user is logged out of the SummitAI application.

When the user accepts the GDPR CONSENT FORM after declining it, the user’s personal data is either updated (encrypted and stored) by the Administrator, or the user’s personal data is synched up and displayed in the next Application refresh cycle.

By enabling GDPR, the Application takes formal consent from the users about displaying their personal data to the Analysts and Administrators of the Application (or users having access to reports). The personal data is encrypted and stored in the SummitAI database.

Note:

There will be an Application downtime on enabling GDPR. The downtime depends upon the amount of user data in the Application. The users will experience slower Application performance on pages, having user information, after GDPR is enabled.

If the user logs in from Mobile Application, and the user hasn’t accepted the GDPR Policy in Web, then the below message is reflected on the mobile app:

"Please click Accept in the GDPR Consent Form in the SUMMIT web application to continue to use the SUMMIT Mobile app."

To disable GDPR, please contact the SummitAI Support Team.

If GDPR is disabled, the users will not receive any consent form to accept or decline to display their personal data in the Application.

The user personal data will still be stored in the Application, but will not be encrypted.

Note:

There will be an Application downtime on disabling GDPR. The downtime depends upon the amount of user data in the Application.

After GDPR is enabled, the personal data is stored in the following way:

If GDPR is enabled, the columns that are encrypted (Example: Email ID, Address, etc.) and replicated to DN reporting tables will not contain the actual data. In place of the data the following string will be shown *****.
Any personal data and any report that is using the DN tables will not show the actual data. Instead, the following string is shown *****.
The existing data in the columns that store the personal data will be retained when there is a switch in the status of GDPR. For example, if GDPR is enabled, old records will still have e-mail id in the DN tables in plain text. But, the new records will be stored with the following string *****.

A new GDPR STATUS REPORT page (Reports > Click Select Module drop-down list> Select module as Admin > Select GDPR Status Report from the REPORTS drop-down list) is added. The GDPR Status Report gives detailed information about which users have Accepted GDPR, which users have declined GDPR, which users have accepted GDPR after declining it, and which users have taken no action. On the FILTERS pop-up of the GDPR STATUS REPORT page, the following new fields are added:

GDPR Status
Domain
Location
User Name

Users can select the status type, for which they want to view the GDPR Status Report, from the GDPR Status drop-down list. The users can also select the Domain and Location for which they want to the view the GDPR Status Report. The users can view the GDPR Status Report for a particular user by searching the user’s User Name/E-mail ID in the User Name field.

Figure: GDPR STATUS REPORT

What is GDPR?

SummitAI Application is GDPR-Compliant

GDPR Configuration

GDPR STATUS INFORMATION section

LOCATION MAPPING tab

ADMIN MAPPING tab

MESSAGES tab

Enabling GDPR

GDPR End User Flow

Impact of Enabling GDPR

Impact to Users

Impact to Application

Mobile Application

Disabling GDPR

Impact of Disabling GDPR

Impact to Users

Impact to Application

Known Limitations:

GDPR Status Report