Autotask works hard to protect the privacy and security of its customers’ data. In addition to the many steps we take to protect customer data described in Autotask’s general corporate Privacy Policy (, Autotask proactively monitors legal and other developments that may be of importance to Autotask customers.

In May 2018, a new European privacy law, the General Data Protection Regulation (“GDPR”), goes into effect. The GDPR fundamentally changes European privacy law and requires all companies that handle “personal data” of individuals in the EU to adopt more stringent privacy and security practices. (For our customers in the UK, to date, all indications are that the UK will adopt national laws that substantially mirror the GDPR even after Brexit.)

Consistent with our corporate focus on customer privacy and security, Autotask is making a substantial investment of time and resources to ensure its products and services are fully GDPR compliant by May 2018. These investments include a comprehensive company-wide review of all Autotask business relationships, products, services and data handling practices. Autotask’s compliance effort is being led by its global Privacy Team, whose members include senior executives and product specialists from key functional areas and geographic regions and who have deep knowledge of and experience with Autotask’s products and data handling practices. Key tasks being managed by the Privacy Team include but are not limited to:

  • Creation of data inventories and data flow maps for Autotask products;
  • Review and update of Autotask contracts and licenses;
  • Review and update of Autotask’s corporate and product-level privacy policies;
  • Review and update of Autotask products and services (particularly to accommodate updated data subject rights, including notice, consent, transparency, portability, correction and erasure); and
  • Review and update of Autotask’s data processing addendum for data transfers outside the EU.

Over the next several months, we will be reaching out to our resellers and customers with updates on our GDPR compliance efforts and with important information on any changes to Autotask contracts, licenses, products, services and business practices that may affect sale and use of our products and services.

In the meantime, Autotask’s GDPR compliance efforts are only once piece of a much larger effort. The GDPR imposes significant obligations on all entities that process personal data, including Autotask resellers and customers who have their own privacy, security and data processing obligations.

Autotask recommends that all resellers and customers who use Autotask products and services to process “personal data” begin working with their legal and technical advisers to ensure that their data handling practices comply with the complicated requirements of the GDPR. Key issues that should be addressed include:

  • Does the GDPR apply to my organization? The GDPR applies to organizations that process personal data in the EU, as well as to organizations outside the EU that process personal data of natural persons located in the EU in certain specific situations.
  • Do my data handling practices respect the rights of data subjects? The GDPR places a high value on data subject rights, including but not limited to the rights to notice, consent, transparency, portability, and erasure.
  • Does my organization have data breach notification processes and procedures? Article 33 of the GDPR introduces new data breach notification requirements that include a requirement to notify data protection authorities of data breaches “without undue delay and, where feasible, within 72 hours of becoming aware of the breach.” Direct notification of data subjects also is required in some circumstances, as set forth in Article 34.
  • Does my organization need a data protection officer (“DPO”)? The GDPR requires organizations to appoint a DPO in certain circumstances set forth in GDPR Article 37.
  • Does my organization transfer data outside the EU? As in the case of the original 1995 Data Protection Directive, transfers of data outside the EU are governed by special rules restricting transfers to countries that lack adequate data protections unless certain requirements are met.
  • Does my organization maintain records of its compliance activities? Accountability is a critical element of the GDPR. Thus, maintaining clear and accurate records of your compliance activities is important to demonstrate compliance.

Answering these questions and the many others raised by the GDPR is critical to ensuring that your organization is GDPR-ready by May 2018.

Autotask cannot provide you with advice on how the GDPR affects your organization generally (those are issues you must raise with your legal and other advisers), but we are here to help with any questions on how the GDPR affects your use of Autotask products. If you have specific questions about Autotask’s GDPR compliance efforts and how those efforts may impact your use of Autotask’s products and services, please contact us at