Has your inbox been flooded with updated privacy policies from your Internet accounts like Google, Facebook, and LinkedIn? The massive new regulation directly affects all European Union (EU)* citizens, regardless of where they are living. The GDPR could have a huge impact on how your organization is required to protect an individual's data, even if you are not based in the European Union (EU). There is a massive $24 million penalty for non-compliance.
Data related to a natural person can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. It will now be necessary to document a data entrustment and storage agreement before using your system.
You may surprised how likely the GDPR will affect you even if you are not in the EU. The biggest change is the extended jurisdiction of the GDPR, as it applies to all organizations processing the personal data of data EU subjects, regardless of the organization’s location and regardless of where citizens are based. In addition, if your organization supports businesses that have customers who are EU subjects, then your organization is required to be in compliance.
Individuals have the right to be forgotten by withdrawing consent or directly requiring you to delete the data. They can ask you to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent; this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Your organization needs to be in compliance with how you secure the data and cannot hold on to the data longer than necessary. You must comply (outside of health care and law enforcement, etc.) when the individual requests their data be deleted. In addition, you are required to provide documentation of how data is handled and report data breaches to authorities within 72 hours of discovery.
Companies can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Companies may very well be required to have a designated data protection officer (DPO) who manages the internal record keeping requirements; mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.
We have performed the extensive data audits as required by the GDPR to ensure that not only does our assessment platform fulfill all technical and documentation requirements, but that our organization meets the GDPR requirements. Our assessment platform, the FinxS System and our organization, in the role of the data processor, complies with the GDPR requirements, including the GDPR principles of:
There are numerous, stringent data security and technical requirements that an assessment system must meet in order to be GDPR compliant. In addition, the assessment system must be able to document all activities such as recording all login attempts, deletion of data, data security measures, etc. Of course, the system must be able to document that a respondent has provided the lawful basis to collect any data in the first place.
Many U.S.-based companies mistakenly think the EU-US Privacy Shield is simply a mechanism that enables participating companies to meet the EU requirements for transferring personal data from EU to the US, but it is not. In order to be GDPR compliant, data processors such as assessment tool providers must follow much stricter regulations to avoid potentially very costly consequences for their clients.
*The EU countries include Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and currently, the United Kingdom.
Contact us to