Spica’s Security Procedures, User Privacy, and Data Protection
Today marks the 20th edition of the Safer Internet Day: ‘Together for a better Internet’ campaign. This day highlights the importance of ensuring the Internet is a safe space for everyone. As part of #SID2023, we share some important definitions, Spica’s Safety Procedures, User Privacy, and Data Protection.
At Spica, we are committed to the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulations (PECR), and transparency in our marketing, products, and general business operations. We are ISO 27001 certified, meaning we have a robust Information Security Management system in place that is regularly checked and held to an international standard. We are clear about why, how, and where we put our marketing messages and always provide the information needed to opt out or unsubscribe. We have several controls in the way we operate and ensure that we always review any changes and additions to our products against Information Security risks.
What is GDPR?
GDPR is a set of rules that regulate how personal data from individuals living outside of the European Union (EU) should be collected, stored, and used. These regulations are being made to ensure that all personal data are handled with transparency and confidentiality (ICO, 2023).
What is PECR?
PECR is a set of rules that cover all electronic communications including marketing (calls, text messages, and emails), cookies (and similar technologies), and customer privacy (traffic, location data, itemised billing, line identification, and directory listings) (ICO, 2023).
What is Information Security?
Information security is the process of safeguarding an organisation’s data against unauthorised access while maintaining its confidentiality and integrity. Confidentiality ensures that data and information access is restricted only to those who have been granted access, whereas Integrity requires that all data are complete and accurate (Imperva, 2022).
Did you know that we are regularly audited to ensure we are following Information Security? Last year, we introduced a new module around Visitor Management. We conducted an internal review with our Data Privacy Officer and Legal Counsel, to ensure the type, format, and quantity of data captured was appropriate. This helped us to balance the business need for security purposes against the visitor’s need for privacy. Additionally, we considered how we can store the data securely to be able to support common GDPR processes like the right to be forgotten.
Here at Spica, transparency is key.
In research conducted by Statista regarding the main concerns about protecting personal information, 21% of individuals answered that they are worried about having their data shared/passed on to 3rd parties, or being sold to others, while 16% of individuals were worried about being a victim of fraud/scams.
User Privacy and Data Protection are important focuses for us in how we build and deliver our products. The users have the power to select whether they want to share key information with us, like their location. Therefore, we ensure to develop the necessary trust for our products, by only asking for essential information. The information is used to drive targeted and helpful features, and as a result, offer more business value for our clients. For instance, location can detect whether someone is in a meeting room and if they haven’t booked it beforehand, we can book it for them.
We are aware of industry testimonials where employees felt like being subject to a ‘’big brother culture’’. According to the Guardian, employees of The Daily Telegraph felt they are under surveillance and requested to withdraw any monitoring devices installed. At Spica, we ensure to counteract any fears from the beginning, by communicating and engaging with employees who are using the app.
Below are some of the most common ways we protect our data
- User control
Even though we provide a few location-based services, we do not allow individuals to be tracked as they move around the building. We map out dark rooms such as bathrooms, and we make it simple for users to choose when, how, and whom they share their location with. Plus, the ability to easily revoke access where needed.
- Data Anonymisation
Through our GemEx platform, we offer data analytics such as meeting rooms or desks booked in a day. These data are offered in the context of the digital twin and taxonomy. You can report by department and location, but not individually. This way, we can maintain the continuity of data while supporting the right to be forgotten.
- Principle of Least Privilege
We only provide access to data when needed, and regularly review who has this access.
- Database & Platform Security
We invite an independent company to penetrability and annually test our software to ensure data can’t be accidentally or maliciously intercepted.