GDPR – Our responsibilities and commitments at Mentorloop

pexels-petar-starčević-2587789
On this Page

Mentorloop supports and encourages employees’ success through mentoring relationships, and is committed to every user’s information rights and privacy. Back in April 2018, we made a promise to update our processes and policies in order to meet the requirements of new European legislation relating to these rights: the General Data Protection Regulation 2018. This article explains how Mentorloop has responded to the GDPR and the measures we take to be compliant.

To fulfill our commitment to understanding and implementing the guidelines, we commissioned an independent review of our practices and processes, which was carried out in conjunction with our IT department. In the spirit of ongoing transparency, we wanted to share with you our responses to thirteen of the most common questions we are asked.

FAQs regarding GDPR and Mentorloop

1. Why does the GDPR apply to Mentorloop?


As we expand our solution to facilitate mentoring relationships across the globe, it’s our responsibility to comply with the GDPR; regardless of whether the data is actually processed in the EU. Instead of having separate policies, we have chosen to make GDPR the baseline for all of our data policies, no matter what country our mentors and mentees are in.

2. If you’re an Australian entity, where is the data you collect on users stored?


When it comes to storing the personal data of EU data subjects, we have chosen a solution that is certified by the European commission as being adequate in order to comply with GDPR. Put simply, this means that we use an Amazon Web Services data center based in the UK.

3. Do you follow GDPR or the Australian Privacy Principles?


The short answer is: both.

We’ve always been committed to The Privacy Act (Australia) in how we handle, use and manage personal information. GDPR includes some similar requirements. Both laws aim to foster transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected. 

Other similarities include the requirement for businesses to implement measures that ensure compliance with a set of privacy principles and to take a privacy-by-design approach to compliance.

4. What tools and technologies do you use to process the data that you collect?


Mentorloop is a proprietary built platform and is used to collect and process the data we collect from users of the app.

In order to use the app to create, and benefit from, a mentoring relationship, we need to collect personal information including through ‘contact us’ forms, resource downloads, email sign-ups, the Mentorloop app signup form, and information about the person when they become a user.

Full details can be found in our Privacy Policy.

5. How does Mentorloop protect the personal data collected on the platform?


We have adopted a ‘protection by design approach’ and as such, put in place physical, technical, and organisational procedures and techniques to safeguard users’ information. These safeguards include measures such as two-factor authentication, logical segregation of data, and encryption of databases. We also ensure that only the data necessary for the specific purposes of delivering mentoring programs is processed, used, and stored.

We also carry out monthly internal reviews of our systems and processes to make sure that we are continuing to adhere to the guidelines of the GDPR. An independent third party undertakes regular penetration testing of all of our systems. And finally, we’ve extended support in the form of help for admin users of the platform – those who manage mentoring programs from within their organisations – to help them make good privacy decisions when accessing their user data.

6. How are you managing the consents and rights of users of the platform?


We’ve made it clear and simple to understand exactly what users are agreeing to when joining a mentoring program. This means that people are able to give their consent via a form, with the purposes of data processing attached to that consent, so that it’s totally unambiguous.

There are three core and broad areas which ensure we manage user’s rights correctly:

1. We have standardised the consent mechanisms to allow for more consistent privacy practices and systems across our organisation for all users.  
2. Wherever possible we’ve minimised the processing of personal data — limiting activity to only what’s necessary for a specific purpose, carrying out privacy impact assessments, and maintaining up-to-date records to prove out their compliance.
3. We also have measures in place to ensure that the personal data we collect and store is accurate, up to date, and held only for as long as it is necessary.

7. What documents can you share that support your adherence to GDPR?


We want to be absolutely clear about how we use the data that we collect. You can read our Privacy Policy which is published on our website. It’s written in plain English, making it clear how data is processed and (unlike most documents of its kind) is easy to understand. But please let us know if that’s not the case!

We have also published a library of Privacy and IT documentation to show our commitment to our customers and our staff. As InfoSec is an ever-evolving field, these documents are continually updated and refined to enhance our security posture.

Included among this documentation – and relating specifically to GDPR – is our Data processing addendum.

We also keep a number of internal records such as audits and logs with a detailed record of any analyses and decisions so that, should we be requested to, we can demonstrate how we have complied with the requirements stated under the GDPR.

8. How are you ensuring users of the platform have the Right to be Forgotten?


Luckily, this has never been something we’ve denied users. However, what we’ve done as part of our work to follow the guidelines of the GDPR, is created and documented a clear process for it. So if any user makes this request, we have measures in place to ensure that we fulfill this swiftly and efficiently.

9. Are your third parties following the same standards?


We take great care when selecting third parties to work with, ensuring that if they do hold personal data (which not all of our partners do) that they have committed to GDPR compliance themselves, and in some cases are Certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks. As a result of the Schrems II decision, Mentorloop no longer relies solely on Privacy Shield, but nevertheless continues to recognise subprocessors that participate in the program. For this reason, Mentorloop continues to reference Privacy Shield in some policies.

We maintain a register of third party subprocessors, which is made available to customers.

10. And what about your employees?


Our employees have been authorised to process data and have undertaken training on the protection of personal data. Our Staff Information and Data Security Policy details their responsibilities to avoid data security breaches.

11. Have you appointed a Data Protection Officer?


Yes. Tracy Powell, our VP of Engineering, has been appointed as our Data Protection Officer. Usually you’d find DPOs appointed in organisations where:

1. It is a public authority (except for courts acting in their judicial capacity)
2. They undertake large-scale systematic monitoring of individuals
3. Or carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.

These criteria do not apply to Mentorloop, but it’s a core part of our ongoing commitment to protect the data of our users; and Tracy has the knowledge, support, and authority to continuously review and update our infrastructure in line with these requirements.

12. Will Brexit affect any of your policies and procedures?


No. Our policies and practices will remain the same irrespective of whether or not the UK retains the GDPR post-Brexit.

13. Do you support the new Standard Contractual Clauses (SCCs) from the European Commission?

Yes. On 4 June 2021, the European Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors subject to the GDPR to controllers or processors not subject to the GDPR. Mentorloop has adjusted our practices and contracts to comply with the new SCCs. Our contract Data processing addendum can be found here.

The need to offer innate confidentiality and privacy during mentoring relationships has always informed how we deal with users of our platform. This gives them the confidence to have the candid and open conversations necessary to empower them to fulfill their personal career goals. We’ll continue to ensure that we use that information fairly and correctly; protecting the personal information of our mentors and mentees in order to enable ongoing mentoring relationships around the globe.

If you’d like to know more or have a question that you’d like answered, then please contact our Privacy Officer by emailing privacy@mentorloop.com

5 1 vote
Article Rating
Picture of Lucy Lloyd
Lucy Lloyd
Lucy believes the right connection can change your life, and she's CEO and Cofounder of Mentorloop. She also loves bushwalking, family & friends, and great food & wine.

Share this Article

Join the loop

Get updates and learn from the best mentoring programs

continue Learning

Create a culture of mentoring where your people are always learning, supported, and sponsored to success

See How it Works
Book a Demo