Mentorloop supports and encourages employees’ success through mentoring relationships, and is committed to every user’s information rights and privacy. Back in April 2018, we made a promise to update our processes and policies in order to meet the requirements of new European legislation relating to these rights: the General Data Protection Regulation 2018. This article explains how Mentorloop has responded to the GDPR and the measures we take to be compliant.
To fulfill our commitment to understanding and implementing the guidelines, we commissioned an independent review of our practices and processes, which was carried out in conjunction with our IT department. In the spirit of ongoing transparency, we wanted to share with you our responses to thirteen of the most common questions we are asked.
FAQs regarding GDPR and Mentorloop
As we expand our solution to facilitate mentoring relationships across the globe, it’s our responsibility to comply with the GDPR; regardless of whether the data is actually processed in the EU. Instead of having separate policies, we have chosen to make GDPR the baseline for all of our data policies, no matter what country our mentors and mentees are in.
When it comes to storing the personal data of EU data subjects, we have chosen a solution that is certified by the European commission as being adequate in order to comply with GDPR. Put simply, this means that we use an Amazon Web Services data center based in the UK.
This question is often one of the initial points of discussion with a new customer, and it can be confusing.
Mentorloop determines the purpose and means of processing personal data. So although we process personal data on behalf of our customers, we also determine how the information is collected and the manner in which the processing is carried out. This means Mentorloop can take the definition of a Data Controller, and we tend to do so by default.
Our customers retain overall control of the data in terms of commissioning the use of the app and determining the purpose the data will be used for.
Supporting detail for our default definition of Data Controller:
• Mentorloop exercises control over the other purposes users’ data is used for, for example delivering mentoring tips & resources;
• Mentorloop has legal requirements of its own to meet, for example relating to the use and retention of personal data entered on the signup form and their tracked logged usage of the app;
• Mentorloop has its own terms and conditions that apply directly to the users of the app;
• Mentorloop has a degree of freedom to decide which information to collect and how to analyse this for the purposes of, say, nudges; and
• Mentorloop has the scope to use the data for its own purposes, for example, making modifications and improvements to the platform.
However, an entity can be both controller and processor and with some of our customers we have been happy to sign an addendum to the contract defining our role purely as a Data Processor for the purposes of that engagement.
The short answer is: both.
We’ve always been committed to The Privacy Act (Australia) in how we handle, use and manage personal information. GDPR includes some similar requirements. Both laws aim to foster transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.
Other similarities include the requirement for businesses to implement measures that ensure compliance with a set of privacy principles and to take a privacy-by-design approach to compliance.
Mentorloop is a proprietary built platform and is used to collect and process the data we collect from users of the app.
In order to use the app to create, and benefit from, a mentoring relationship, we need to collect personal information including through ‘contact us’ forms, resource downloads, email sign-ups, the Mentorloop app signup form, and information about the person when they become a user.
Full details can be found in our Privacy Policy.
We have adopted a ‘protection by design approach’ and as such, put in place physical, technical, and organisational procedures and techniques to safeguard users’ information. These safeguards include measures such as two-factor authentication, logical segregation of data, and encryption of databases. We also ensure that only the data necessary for the specific purposes of delivering mentoring programs is processed, used, and stored.
We also carry out monthly internal reviews of our systems and processes to make sure that we are continuing to adhere to the guidelines of the GDPR. An independent third party undertakes regular penetration testing of all of our systems. And finally, we’ve extended support in the form of help for admin users of the platform – those who manage mentoring programs from within their organisations – to help them make good privacy decisions when accessing their user data.
We’ve made it clear and simple to understand exactly what users are agreeing to when joining a mentoring program. This means that people are able to give their consent via a form, with the purposes of data processing attached to that consent, so that it’s totally unambiguous.
There are three core and broad areas which ensure we manage user’s rights correctly:
1. We have standardised the consent mechanisms to allow for more consistent privacy practices and systems across our organisation for all users.
2. Wherever possible we’ve minimised the processing of personal data — limiting activity to only what’s necessary for a specific purpose, carrying out privacy impact assessments, and maintaining up-to-date records to prove out their compliance.
3. We also have measures in place to ensure that the personal data we collect and store is accurate, up to date, and held only for as long as it is necessary.
We want to be absolutely clear about how we use the data that we collect. You can read our Privacy Policy which is published on our website. It’s written in plain English, making it clear how data is processed and (unlike most documents of its kind) is easy to understand. But please let us know if that’s not the case!
We have also published a library of Privacy and IT documentation to show our commitment to our customers and our staff. As InfoSec is an ever-evolving field, these documents are continually updated and refined to enhance our security posture.
Included among this documentation – and relating specifically to GDPR – is our Data processing addendum.
We also keep a number of internal records such as audits and logs with a detailed record of any analyses and decisions so that, should we be requested to, we can demonstrate how we have complied with the requirements stated under the GDPR.
Luckily, this has never been something we’ve denied users. However, what we’ve done as part of our work to follow the guidelines of the GDPR, is created and documented a clear process for it. So if any user makes this request, we have measures in place to ensure that we fulfill this swiftly and efficiently.
We take great care when selecting third parties to work with, ensuring that if they do hold personal data (which not all of our partners do) that they have committed to GDPR compliance themselves, and in some cases are Certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks. As a result of the Schrems II decision, Mentorloop no longer relies solely on Privacy Shield, but nevertheless continues to recognise subprocessors that participate in the program. For this reason, Mentorloop continues to reference Privacy Shield in some policies.
We maintain a register of third party subprocessors, which is made available to customers.
Our employees have been authorised to process data and have undertaken training on the protection of personal data. Our Staff Information and Data Security Policy details their responsibilities to avoid data security breaches.
Yes. Tracy Powell, our VP of Engineering, has been appointed as our Data Protection Officer. Usually you’d find DPOs appointed in organisations where:
1. It is a public authority (except for courts acting in their judicial capacity)
2. They undertake large-scale systematic monitoring of individuals
3. Or carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.
These criteria do not apply to Mentorloop, but it’s a core part of our ongoing commitment to protect the data of our users; and Tracy has the knowledge, support, and authority to continuously review and update our infrastructure in line with these requirements.
No. Our policies and practices will remain the same irrespective of whether or not the UK retains the GDPR post-Brexit.
Yes. On 4 June 2021, the European Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors subject to the GDPR to controllers or processors not subject to the GDPR. Mentorloop has adjusted our practices and contracts to comply with the new SCCs. Our contract Data processing addendum can be found here.
The need to offer innate confidentiality and privacy during mentoring relationships has always informed how we deal with users of our platform. This gives them the confidence to have the candid and open conversations necessary to empower them to fulfill their personal career goals. We’ll continue to ensure that we use that information fairly and correctly; protecting the personal information of our mentors and mentees in order to enable ongoing mentoring relationships around the globe.
If you’d like to know more or have a question that you’d like answered, then please contact our Privacy Officer by emailing privacy@mentorloop.com
