On May 25, 2018, a new European privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR brings in new data protection rules and expands the privacy rights of EU individuals. It applies to all companies who collect, store or use the personal data of EU individuals, wherever that company is based in the world.
It is important that all organizations take steps to analyze whether they are impacted by the GDPR and prepare for it now. The fines for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher. Compliance is also important to protect brand reputation and customer loyalty.
AllSecure has extensive expertise in protecting personal data and is committed to complying with the GDPR through our robust privacy and security protections.
AllSecure GDPR Readiness Activities
- Contract Terms - Released a GDPR Data Processing Addendum to comply and process Personal Data under the new EU regulation
- Internal Processing - Creating an improved internal process to handle Data Subject Requests
- Sub-Processor Compliance - Making sub-processor information available upon request
- Data Protection - Improving Incident Response Plan to detect, investigate and report data breaches as required by GDPR
What changes will the GDPR make to existing data protection rules and practices?
The GDPR is designed to build on existing data protection laws and modernize practices to cater to changes in technology and consumer preferences. There are a few important changes that we believe are particularly relevant to you as AllSecure customers. In addition to broadening the scope of existing laws beyond EU borders and the expanded definition of ‘personal data’, the GDPR introduces:
- An expansion of individual rights: - Individuals in the EU will have new rights under the GDPR such as: Right to be informed • Right of access • Right of rectification • Right to erasure • Right to restrict processing • Right to data portability • Right to object • Rights in relation to automated decision making and profiling
- Stricter consent requirements: - You will need to obtain explicit consent from your contacts for every usage of their personal data, including separate consent for different processing activities such as email marketing, product updates, statements, telephone contact, etc
- Stricter processing requirements: - The GDPR will require you to be completely transparent about the data you process, including: The ability to validate what specific data you are collecting and why • Ensuring you only retain necessary data and for as short a period as possible • Your “legal basis” for processing the data, for example, where it is necessary to fulfil a contract, where an individual has consented, or where the data processing is in the organization’s "legitimate interest”
There are many other principles and requirements introduced by the GDPR, so it is important to review the GDPR thoroughly with legal experts to ensure you have a full understanding of how these requirements apply to you.
Does the GDPR address cross-border data transfers?
Yes, the GDPR requires certain conditions are met before personal data is transferred outside the EU - identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers.
One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” The Privacy Shield framework constitutes one such example of an adequacy decision. AllSecure through its subprocessors has certified its compliance to the Privacy Shield framework, and we are committed to treating all personal data received from EU member countries in accordance with the Privacy Shield framework’s applicable principles.
Does it matter whether you are a controller or a processor?
Yes, there are different requirements and obligations depending on which category you are in.
- Data Controller: - The organizatino who decides what data is held and what it is used for.
- Data Processor: - The organization who processes the data on behalf of the controller
Data Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor as well.
In the context of AllSecure solutions and related services, in the majority of circumstances, our customers are acting as the “data controllers”. Our customers, for example, decide what information from their contacts is uploaded or transferred to AllSecure Platform. As a provider, AllSecure has the role of a "data processor" who processes personal data on behalf of the data controller.
As our customers’ processor, one important feature of compliance with EU data protection law is our Data Processing Addendum (DPA). This contract addendum governs the relationship between our customer (as data controller of the Customer Data) and AllSecure (acting as data processor). Obtain and execute the latest copy of our Data Processing Addendum.
Will AllSecure comply with the GDPR?
AllSecure’s GDPR preparation started more than a year ago, and we are committed to achieving compliance with the GDPR on or before May 25, 2018. As part of this process we are reviewing (and updating where necessary) our internal processes, procedures, data systems and documentation, as well as our third-party vendor contracts and Data Processing Agreements to ensure that we are ready for GDPR’s implementation. This will also ensure that you can continue to lawfully transfer EU personal data to AllSecure to process on your behalf.
How can AllSecure assist in your GDPR compliance efforts?
There are several ways in which AllSecure can help. Most importantly, AllSecure can help you promptly respond to Individual Rights requests from your customers or contacts to:
- Search requests: Search for and provide all information stored about an individual
- Modify / change / correct at request all personal data stored
- Manage “Right to Erasure” requests as appropriate
- Port your customer’s personal data
If any individual contacts AllSecure directly regarding their data, we will always advise that person to contact you directly to make sure that you have full control and retain any correspondence with the customer.
Do you still have questions?
You can submit questions or requests to AllSecure through our HelpDesk by sending an [email protected]?subject=GDPRInquiry. To help route quickly, please add GDPR to the subject line.
To understand and learn more about the GDPR, visit the EU GDPR webpage.