What is Highwire’s approach to the GDPR?

Introduction

At Highwire, the success of our partners and the protection of their personal data is our top priority. With customers in countries worldwide, Highwire adopts a truly international approach to data privacy. Highwire is regularly audited by third parties against the most exacting criteria, and we have been globally certified by the International Organization for Standardization under ISO 27001 since 2016.

In 2018, the European Union began enforcing the General Data Protection Regulation (GDPR), a groundbreaking legal framework that aims to empower individuals and enhance their privacy rights by imposing strict obligations on companies that handle their data. Highwire’s early commitment to ISO 27001 put us in a strong position to quickly and effectively review and enhance the Highwire application and our internal processes, policies, and controls, ensuring compliance with the GDPR. 

Below, we will introduce the key components of the GDPR and discuss how Highwire has integrated GDPR compliance into our platform and processes.

Data Subject Rights

The primary purpose of the GDPR is to give individuals greater control over the use of their personal data and to standardize data protection regulations for businesses operating within the European Union. Under the GDPR, individuals whose data is being processed are defined as “data subjects”. At Highwire, they are referred to as client users and contractor users. Regardless of the label, they have several fundamental rights under the GDPR, including the following:

  • Right to access: Data subjects have the right to request access to their personal data held by an organization.
  • Right to rectification: Individuals have the right to request corrections to inaccurate or incomplete data.
  • Right to erasure (right to be forgotten): Data subjects have the right to request the deletion of their personal data under certain circumstances.
  • Right to restriction of processing: In certain cases, individuals have the right to request the restriction of data processing.
  • Right to data portability: Data subjects have the right to request their data in a machine-readable format for transfer to another controller.
  • Right to object: Individuals have the right to object to the processing of their data for specific purposes, such as direct marketing.

Data Controller vs. Data Processor

Before defining Highwire’s specific GDPR approach, it is essential to understand the distinction between a data controller and a data processor. Generally speaking, the following definitions apply under the GDPR:

  • Data controller: The entity that determines the purposes and means of processing personal data. Controllers must ensure that processors follow their instructions.
  • Data processor: The entity that processes personal data on behalf of the data controller. Processors must only process data as defined by the controller and must take appropriate measures to ensure the security of that data.

In the Highwire model, clients and contractors act as the data controller to the extent that they provide limited personal data to Highwire, including full name, business title, and business email address, to establish an account in the Highwire system. Additionally, contractors provide business information to Highwire for evaluation using Highwire’s proprietary safety and financial algorithms. 

Highwire then acts as the data processor to the extent that we process personal data on behalf of and under the direction of our users. Highwire is limited to using personal data only as directed by our users and in a manner that ensures their privacy rights are upheld.

How does Highwire demonstrate to our users that we are processing personal data in accordance with the necessary measures to ensure data security and privacy? Let’s look at our robust approach.

Highwire’s Approach to GDPR Compliance

Privacy Policy

One of the core requirements of the GDPR is the need for transparent and easily understandable privacy policies. Privacy policies must provide clear information about how data is collected, processed, and stored, as well as how data subjects can exercise their rights. The Highwire Privacy Policy is publicly available on our website and supplemented by a specific EEA Privacy Notice for users in the European Economic Area, the United Kingdom, or Switzerland.

To ensure that our Privacy Policy meets the strict requirements of the GDPR, Highwire completes an annual audit as part of the United States Department of Commerce Data Privacy Framework program. You can visit the Data Privacy Framework website for more information and to verify Highwire’s certification.

Cookies and User Consent

In compliance with the GDPR, Highwire provides transparent information about our use of cookies and obtains user consent before placing or accessing them on a user’s device. Cookies are small data files stored in text format on a user’s device to ensure that the Highwire application and website function correctly and efficiently.

Cookies enable Highwire to “remember” a user’s preferences, such as language, font size, login details, and display settings, ensuring a consistent and personalized experience when the site is revisited. This standard practice supports the usability and functionality of our platform without compromising Highwire’s strict standards for data protection and security.

Highwire also uses cookies to help analyze visitors interact with and navigate through our website. This information allows us to identify opportunities for improvement and maintain a high-quality user experience. Cookie-related data is used exclusively for the purposes described here. Highwire does not use cookies to enable third-party tracking mechanisms or interest-based advertising, and no data is shared with unaffiliated entities for marketing purposes.

Upon visiting the Highwire website, users are immediately notified of our use of cookies through a pop-up banner. Users must actively consent before cookies are placed on their device. This banner also includes a link to our detailed Cookie Statement, where users can review our practices and manage their cookie preferences at any time.

Contractual Clauses and Data Processing Addendum

As mandated by the GDPR, Highwire outlines our specific responsibilities, security measures, and compliance requirements regarding data processing as part of our contractual agreements with clients and contractors. We do this by explicitly referencing the Highwire Privacy Policy and the Highwire Data Processing Addendum in our Terms. To ensure the efficacy of Highwire’s Data Processing Addendum, our contractual language is based on the Standard Contractual Clauses (SCCs) issued by the European Commission, which were specifically designed for the transfer of personal data from within the EEA to countries outside the EEA. SCCs are a crucial tool for ensuring that data transfers outside the EEA comply with the GDPR's requirements.

Subprocessors

Under the GDPR, a subprocessor is any third party that a data processor (like Highwire) engages to help process personal data on behalf of the data controller (our clients and contractors). In other words, subprocessors are vendors or service providers that support Highwire’s delivery of the Highwire platform and related services.

Highwire carefully selects and contracts with subprocessors to perform specific, limited functions necessary to operate our business—such as cloud hosting, infrastructure, and customer support tools. Each subprocessor is required to meet strict security, privacy, and compliance standards consistent with the obligations imposed by the GDPR and Highwire’s Data Processing Addendum.

All subprocessors engaged by Highwire are bound by written agreements that ensure:

  • Personal data is processed only on documented instructions from Highwire;

  • Adequate technical and organizational safeguards are maintained to protect data;

  • Transfers of personal data outside the European Economic Area (EEA) are governed by the European Commission’s Standard Contractual Clauses (SCCs) or equivalent legal mechanisms; and

  • Immediate notification is provided to Highwire in the event of a data breach or security incident.

Highwire maintains a current list of its approved subprocessors, which is publicly available here.

Highwire's most critical subprocessor is Amazon Web Services (AWS), with whom we contract for secure cloud hosting services. AWS has implemented robust compliance measures, including adherence to ISO/IEC 27001 and SOC 2 Type II certifications. Highwire conducts regular due diligence and annual reviews of AWS to verify continued GDPR compliance. You can learn more about AWS’s approach to GDPR compliance at the AWS GDPR Center.

Unsubscribe Mechanisms

The GDPR requires organizations to provide clear and easily accessible unsubscribe mechanisms, particularly for marketing communications. Highwire users can access clear opt-out links in the footer of all Highwire emails.

Data Deletion

Highwire retains user data only for as long as we have an ongoing, legitimate need to do so and are working under a current client or contractor agreement. Specific user accounts and personally identifiable information (PII) are deleted immediately upon account deletion (either directly by a client administrative user or by Highwire) or upon contract termination. Highwire tries to ensure that our services protect information from accidental or malicious deletion.  Because of this, there may be slight delays between when a user deletes something and when copies are deleted from our active and backup systems.

As detailed in our Terms, Highwire may de-identify and aggregate information submitted by our contractors. Highwire owns all aggregated information and may use it for any purpose, as aggregated data is completely anonymous and no longer constitutes personal data subject to data protection laws or regulations, including the GDPR.

Breach Notification

Highwire will notify all users immediately via email of any personal data breach (and never later than 72 hours after having become aware of it). This notification will include the following:

  • the nature and description of the breach, including the number of users who are affected;
  • analysis and root cause of the failure;
  • immediate corrective action to address the breach and mitigate the adverse effects; and,
  • other corrective actions proposed or taken to prevent any future breaches of the same nature and type.

Conclusion

The EU General Data Protection Regulation (GDPR) is a comprehensive framework designed to protect individuals’ personal data and provide them with greater control over how it’s processed. Highwire makes it a top priority to understand and comply with the GDPR’s provisions in order to build trust with our customers and to contribute to a global culture of data protection and privacy.

 

-END ARTICLE-

Was this article helpful?

0 out of 1 found this helpful

Have more questions? Submit a request