On May 25th 2018, a new data protection regulation goes into effect and all companies processing personal identifiable information about EU citizens are affected.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Riada has been following the evolvement of GDPR closely and we are taking necessary actions to comply with this new regulation. It has always been natural for us to care for your data privacy and we believe that GDPR is a great framework that all companies should actively embrace and comply to.
What is GDPR?
The EU General Data Protection Regulation aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
One of the key aspects of the GDPR is that it aims to create consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to be able to demonstrate the security of the data they are processing and their compliance with the GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.
What is Personal Data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Key Points of the GDPR
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
Data subjects has the right to know whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
Privacy by Design
Data protection by design means that it will be mandatory when designing a new system, process, service, etc. that processes personal data, to make sure that data protection considerations (both technical and organizational) are taken into account starting from the early stages of the design process. This data protection notion further includes data minimisation principles.
Riada’s approach to the GDPR
Up until 25 May 2018, Riada is obligated to fulfil the requirements set forth by the Swedish authority Datainspektionen and more specific the regulation called Personuppgiftslagen (PUL). GDPR will replace PUL and the significant differences certainly require a company like Riada to prepare, adjust and comply to meet the new requirements.
From a data protection perspective, we have identified two major areas where we play the part as controller or processor of personal data.
- Riada Cloud - Riada as data processor
Riada Cloud is a hosted solution where we offer a wide variety of applications to our customers. The server infrastructure is owned by Amazon Web Services (AWS) and the data is located in the European Union. In this setup, Riada is categorized as Data Processors, the customer is categorized as Data Controller and AWS as Sub-Processor.
- General business - Riada as data controller
This area covers our day to day business and we are controlling personal data from a wide variety of sources i.e. emails, contact forms, website visits, newsletters, event registration, lists of employees, subcontractors, vendors, customers, partners etc. The data we collect is needed to operate and run our day-to-day business.
Steps we are taking to ensure that we comply with the GDPR
We are continuing to design our information systems to comply with the GDPR. The systems includes, but are not limited to: websites, CRM systems, HR systems and marketing systems. This means that we are able to track who has access to the information, when it has been accessed, how old the information is etc. We also ensure that we have the ability to find defined data as well as being able to modify and delete the data in our systems. For over a year we have also been managing passwords with market leading and certified tools that protect passwords with the highest security standards.
The Riada Cloud infrastructure has evolved a lot the last year and is now stronger than ever. We have routines in place to identify and manage hacker attacks, data breaches, unauthorised access and DDoS attacks. To the largest possible extent, we're using encrypted traffic, disks and databases. We have also a secure and well functional disaster/recovery process that are tested regularly. All Riada Cloud customers are signing our GDPR addendum which details our role as data processor and the customer as data controller.
From the technical perspective, we are making sure that we are:
- able to detect and identify different sorts of attacks on our infrastructure
- able to detect data breaches
- able to find, alter, and delete different sorts of personal data in our systems
- able to extract reports on existing personal data in our systems
- able to move and export personal data in an acceptable format from our systems
- able to identify who has access to certain data, when it was accessed and how it might have been processed
- designing our systems with high awareness and requirements on data privacy and security
Some marketing activities includes sending invites, newsletters or offerings. In those cases we collect and control personal data of our target audience. We are making sure that you are able to give your explicit consent on receiving this kind of communication as well as being able to opt out from such communication.
Riada is a growing company and we control personal data of our employees and prospective candidates. We ensure you that personal data of employees and candidates are erased as soon as we don’t have any active employment or recruitment process with the data subject.
I want to know more!
We’ve received a lot of questions from customers about our work with GDPR and this article might answer a few of these questions. For questions regarding GDPR that still needs answers, please reach out to firstname.lastname@example.org or call us at +46 8 733 31 25
Originally published Feb 12, 2018 3:07:31 PM