GDPR is an EU-wide privacy and data protection law that gives individuals more control over their personal data. It applies when anyone processes the personal data of EU residents, regardless of the location of the person/entity performing the processing.
The GDPR is relevant to any globally operating company and not just EU-based businesses and EU residents. Our customers' data is equally important no matter where they are located, so we plan to implement GDPR controls as our baseline standard for all our operations, worldwide.
GDPR will become enforceable on 25th May 2018.
What is personal data?
Anything that can help identify an individual is personal data.
GDPR includes a broad spectrum of information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data extends beyond a person's name or email address. Some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation, and ethnicity.
How is Findusonweb preparing for GDPR?
In preparation for GDPR, Findusonweb has done a number of things to adhere to the new regulation.
We have raised awareness across the organization through frequent discussions in our internal channels and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.
We have assessed all Findusonweb products, individually, against the requirements of the GDPR and are implementing new features that will give you more control over your data and ease your burden of achieving GDPR compliance.
We have put together a personal data inventory that includes all the roles Findusonweb assumes, such as a data controller and processor. This includes various categories of personal data processed by our organization and helped us to determine which department is getting access to which data and for what purpose.
We are assessing our sub-processors (third party service providers, partners) and streamlining the contract process with them to ensure they address the pressing needs of the current security and privacy world.
We have appointed internal privacy champions for all our teams. We are in the process of appointing a Data Protection Officer (DPO). This is expected to be finalized very soon.
We are constantly in the process of earning additional security certifications and data privacy seals. We are also documenting our processes and procedures, down to the tiniest details of what we do.
Our application teams have embraced the concept of privacy by design and are working to provide you more control over the data you store in our systems. These provisions may vary based on the product's characteristics and domain. Our teams are working on these features and enhancements, which will be rolled out in phases.
We have amended our Data Processing Addendum (based on Model Contractual Clauses) to be compliant with the data processing requirements of GDPR. Upon request, we will share the revised Data Processing Addendum to enable you to be compliant with your GDPR obligations. Please send an email to firstname.lastname@example.org to request a copy of the Data Processing Addendum.
We conducted Data Protection Impact Assessments (DPIA). Based on the results, we are putting in place appropriate controls on data processing and management.
We conducted internal audits of our products, processes, operations, and management. The findings were communicated to our teams, who are working to solve any remaining problems.
Based on the DPIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks. We are also developing our own tools for better data governance and data discovery.
We are cleaning up our databases to ensure that we have only the latest and most accurate information. This cleanup process includes removing terminated and dormant accounts as per our Terms of Service.
When needed, breach notifications will be done in accordance with our internal Privacy Incident Response policy. Customers will be notified of a breach within 72 hours after Findusonweb becomes aware of it. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address).
The EU's General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents' personal data.
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
New & enhanced rights for data subjects - This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
Explicit consent - Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
Right to access - At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
Right to be forgotten - The data subject can request the controller to remove their personal information from the controller's systems.
Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Data portability - The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
Contract -This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice)
Legal Obligation -This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
Vital Interests - This applies to urgent matters of life and death, especially with regards to health data.
Public Task - This applies to activities of public authorities.
Legitimate Interests Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
ConsentConsent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer's personal data. The organization must also conduct an LIA to show that the processing is necessary.
The assessment of whether a legitimate interest exists.
The establishment of the necessity for processing.
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Our data processing addendum, which references the European Commission's model clauses, will continue to help our customers facilitate transfers of EU personal data outside of the EU.