The EU General Data Protection Regulation (GDPR) is a new data privacy law that replaces the Data Protection Directive 95/46/EC.
GDPR will take effect in the UK on 25 May 2018.
- Your extended rights in relation to the information we hold about you
- How we keep your personal information secure
- The types of personal information we collect about you, how we collect and use it
- The legal grounds for how we use your information
The GDPR regulates the “processing" of data, which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
The GDPR provides more privacy rights to EU individuals and places significant obligations on organizations. Some of the key changes are:
- Expanded rights for EU individuals: The GDPR provides expanded rights for EU individuals such as deletion, restriction, and portability of personal data.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
- Binding Corporate Rules (BCRs): The GDPR officially recognizes BCRs as a means for organizations to legalize transfers of personal data outside the EU.
- Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
- One stop shop: The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Our new data processing addendum, which references our Binding Corporate Rules, upcoming Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalize transfers of EU personal data outside of the EU.
What essensys is doing
essensys welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for essensys to deepen our commitment to data protection. Similar to existing legal requirements, compliance with the GDPR requires a partnership between essensys and our customers in their use of our services. essensys will comply with the GDPR in the delivery of our service to our customers. We are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR and are working to make enhancements to our products, contracts, and documentation to help support essensys' and our customers’ compliance with the GDPR.
essensys' commitment to data protection
At essensys, we recognize the importance of the data we collect and process on behalf of our customers. essensys' robust privacy and security program meets the highest standards in the industry.
In order to continually improve our service, essensys is working towards ISO 27018 compliance. ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO 27002 control set.
Additionally, essensys' will provide documentation that describes the architecture and infrastructure of our services, the security- and privacy-related audits and certifications our services have received, applicable administrative, technical, and physical controls, and sub-processors and other entities material to our services.
What customers should do
- Raise awareness of the importance of GDPR compliance with organization leaders
- Obtain executive support for necessary staff resources and financial investments
- Choose someone to lead the effort
- Build a steering committee of key functional leaders
- Identify privacy champions throughout the organization
- Review existing privacy and security efforts to identify strengths and weaknesses
- Identify all the systems where the organization stores personal data and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document Compliance
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organization’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments