[email protected] & GDPR Compliance


Introduction

On 25 May 2018, new European data protection legislation comes into force.

Known as GDPR, the EU General Data Protection Regulation is the most significant data protection legislation to be introduced in the past 20 years and replaces the 1995 EU Data Protection Directive.

In summary, the GDPR is designed to strengthen the rights of individuals regarding their personal data and is intended to unify data protection laws across Europe. These laws are intended to protect EU citizens and will apply regardless of where a users data is processed.

Specifically:

  1. Enhanced Privacy Rights
  2. Increased Organisational Obligations To Protect Data
  3. Mandatory Breach Reporting
  4. Increased Penalties For Non Compliance

[email protected] is committed to GDPR compliance across all our products and services. In addition we will work closely with our clients and partners as they rollout their GDPR compliance strategy in preparation for May 2018.

This statement is intended to provide information to our clients using:

Image

How Will GDPR Impact [email protected] Clients?

The extent to which GDPR will impact you as a [email protected] client will depend in part on the way in which our software is deployed and used in your organisation.

This is because GDPR makes a distinction between two types of roles:

  • Data Controller - The organisation which determines the purposes and means of processing personal data.
  • Data Processor - The organisation which processes data on behalf of the data controller.

There are a number of ways in which [email protected] software may be deployed and used in your organisation:

  • On Premise - In this scenario [email protected] software is installed and run on servers within your own organisational control. For the purposes of GDPR your organisation will be both the Data Controller and the Data Processor.
  • Cloud - In this scenario [email protected] software is installed and run on servers hosted in an external data centre. For the purposes of GDPR your organisation may (intentionally or unintentionally) split the duties, roles and responsibilities of Data Controller and Data Processor with the company who manages your hosted environments. In some cases this will be [email protected] but in others it may be a 3rd party provider contracted directly with you. A further complication may arise when the company who manages your environment is themselves using the services of 3rd party SAAS and IAAS providers (for example Microsoft, Amazon or Google).

Data controllers will be responsible for implementing the necessary technical and organisational policies to demonstrate and ensure that any data processing performed is carried out in compliance with the GDPR.

These obligations will relate to general principles such as:

  • Fulfilling an employee or other data subjects’ rights with respect to their data.
  • The accuracy of the data.
  • Data minimisation.
  • Limitation of purpose.
  • Transparency & fairness.
  • Lawfulness.
Image

[email protected] Product Security

[email protected] products have a number of tools and configuration options which can be utilised to further protect employee and other personal data against unauthorised or unlawful processing. These tools include:

Access Profiles

  • These can be used to restrict the options available to administrators relating to employee and user data.

Single Sign On

  • Linking [email protected] login’s to Active Directory and other SSO directories allows for centralised control and policy enforcement.

Password Control

  • Our software can enforce password expiry, minimum length and format to improve overall system security.
Image

Preparing For GDPR

  • Communication - Ensure that all [email protected] software Administrators in your organisation, are aware of the changes in their obligations and that of your organisation because of GDPR.
  • Data Held - You should document all personal data held in [email protected] software. You should also document where it was obtained from and who is permitted access to this data. You should also document procedures detailing how long this information is retained.
  • Privacy Notices - You should ensure that all privacy notices relating to information held in [email protected] software are reviewed and updated where necessary.
  • End User Rights - Ensure that there are procedures in place which document and explain to individuals their rights relating to data you hold about them in [email protected] software. You should specify the circumstances under which data can be deleted or provided to them and also the format in which that data is provided and the timescales involved.
  • End User Consent - You should have a properly documented procedure in place that seeks, records and manages the consent to hold employee (or non employee) data that is held in [email protected] software.
  • Data Breaches - Ensure that the right procedures are in place to detect, report and investigate any data breaches. If you are hosting [email protected] software on premise then this will be an internally managed procedure. However if your [email protected] software is hosted by a 3rd party, including [email protected] then its important to ensure your procedures dovetail with your provider.
  • Training - Ensure that your [email protected] Administrators are adequately trained in the security features of [email protected] software. Such training should be done in cooperation with  your organisations Data Protection Officer to ensure wider compliance.
Image

Recommended Next Steps Summary

Important Disclaimer

It is vital that you seek independent legal advice relating to your obligations and your status under the GDPR as only an accredited legal professional with knowledge of your organisation can provide you with legal advice specifically tailored to your situation. Nothing in this article or on the [email protected] website is intended to provide you with this legal advice.

Image