What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA) to give users more control over their personal data.

SummitAI Application is Now GDPR-Compliant

The SummitAI application complies to GDPR rules. Under GDPR regulations, the users need to provide their consent to allow other users to view their personal data. After the user acceptance, the personal data will be stored in the SummitAI application in an encrypted form. The following fields are considered as personal data, encrypted, and stored: Joining Date, E-mail ID, Login ID, Country, Address, Contact Number, Mobile Number, State, City, Pin, and Role. If any of these fields are blank, data for the blank fields will not be encrypted and stored.

Note:

GDPR is not enabled on the SummitAI Application by default. The organizations need to contact the SummitAI Support team to enable GDPR on their instance of Application. For more information about enabling/dsiabling GDPR, impact of enabling/disabling GDPR on users and Application, and limitations, see Enabling GDPR and Disabling GDPR.
GDPR is not implemented for a SaaS (Software as a Service) Database model.

GDPR Configuration

A new GDPR CONFIGURATION page (Admin > Advanced > GDPR > GDPR Configuration) is added in the SummitAI web application. On the GDPR CONFIGURATION page, the following sections and tabs are added:

GDPR STATUS INFORMATION section

There will be an Application downtime on disabling GDPR. The downtime depends upon the amount of user data in the Application.

LOCATION MAPPING tab

Under the LOCATION MAPPING tab, the Administrators can enable GDPR only for a selected location by specifying the Domain and Location. Location is dependent on the selection of Domain.

The following scenarios describe the Location mapping:

If GDPR is enabled and Location is mapped, then GDPR is enabled for the users of the mapped Location. If the user is not mapped to any location, then GDPR is not applicable.
If no Location is mapped and GDPR is enabled, in such a case, GDPR is enabled for all the users of the Application.
If GDPR is enabled and only one Location is mapped, and then that Location is made inactive, then GDPR is not applicable for users from any Location.

ADMIN MAPPING tab

Under the ADMIN MAPPING tab, the Administrators can be added. The Added Administrators will be notified upon accepting or declining GDPR.

Note

After GDPR is enabled, the Administrators need to configure at least one user as an Administrator under the ADMIN MAPPING tab.

MESSAGES tab

Under the MESSAGES tab, the Administrators can select any pop-up message (GDPR Acceptance, GDPR Re-acceptance, Enabling/Disabling GDPR) related to GDPR and edit the Title and content of the selected Message.

Note:

While editing the message displayed on the GDPR Re-acceptance pop-up window, if you remove the ##DeclinedOn## keyword, the last date and time when GDPR was declined, is not displayed.

Figure: GDPR CONFIGURATION Page

For more information about configuring GDPR, see Configuring GDPR.

Enabling GDPR

To enable GDPR, please contact the SummitAI Support Team.

Impact of Enabling GDPR

Impact to Users

If GDPR is enabled, the users will receive a GDPR Consent Form to accept or decline to display their personal data in the Application. If they accept, the user personal data is encrypted and stored in the SummitAI database, and the users can continue to use the Application. If the users decline to display their personal data, their personal data is wiped out from the Application and they can no longer use the Application. They can try to access the Application again, however, they must accept the GDPR Consent Form to use the Application.

Note:

When the user clicks DECLINE, apart from the configured details, all other user information is cleared from the SummitAI Database using the following key: GDPR_RetainColumns

When the user tries to log into the SummitAI application after declining the GDPR CONSENT FORM, a message informing that the user had previously declined the GDPR CONSENT FORM is displayed on a pop-up window. If the user clicks Yes, the user gets the GDPR CONSENT FORM. If the user clicks No, the user is logged out of the SummitAI application.

When the user accepts the GDPR CONSENT FORM after declining it, the user’s personal data is either updated (encrypted and stored) by the Administrator, or the user’s personal data is synched up and displayed in the next Application refresh cycle.

Impact to Application

By enabling GDPR, the Application takes formal consent from the users about displaying their personal data to the Analysts and Administrators of the Application (or users having access to reports). The personal data is encrypted and stored in the SummitAI database.

Note:

There will be an Application downtime on enabling GDPR. The downtime depends upon the amount of user data in the Application. The users will experience slower Application performance on pages, having user information, after GDPR is enabled.

Disabling GDPR

To disable GDPR, please contact the SummitAI Support Team.

Impact of Disabling GDPR

Impact to Users

If GDPR is disabled, the users will not receive any consent form to accept or decline to display their personal data in the Application.

Impact to Application

The user personal data will still be stored in the Application, but will not be encrypted.

Note:

There will be an Application downtime on disabling GDPR. The downtime depends upon the amount of user data in the Application.

Known Limitations:

After GDPR is enabled, the personal data is stored in the following way:

If GDPR is enabled, the columns that are encrypted (Example: Email ID, Address, etc.) and replicated to DN reporting tables will not contain the actual data. In place of the data the following string will be shown *****.
Any personal data and any report that is using the DN tables will not show the actual data. Instead, the following string is shown *****.
The existing data in the columns that store the personal data will be retained when there is a switch in the status of GDPR. For example, if GDPR is enabled, old records will still have e-mail id in the DN tables in plain text. But, the new records will be stored with the following string *****.

GDPR Status Report

A new GDPR STATUS REPORT page (Reports > Click Select Module drop-down list> Select module as Admin > Select GDPR Status Report from the REPORTS drop-down list) is added. The GDPR Status Report gives detailed information about which users have Accepted GDPR, which users have declined GDPR, which users have accepted GDPR after declining it, and which users have taken no action. On the FILTERS pop-up of the GDPR STATUS REPORT page, the following new fields are added:

GDPR Status
Domain
Location
User Name

Users can select the status type, for which they want to view the GDPR Status Report, from the GDPR Status drop-down list. The users can also select the Domain and Location for which they want to the view the GDPR Status Report. The users can view the GDPR Status Report for a particular user by searching the user’s User Name/E-mail ID in the User Name field.

Figure: GDPR STATUS REPORT