General Data Protection Regulation Compliance
Who Are We?
TrackTik’s is the provider of a security operations management software, and is the industry’s only all-in-one platform offering security service companies complete control of every aspect of their business. TrackTik saves customers time and money by enabling them to access insight, streamline operations, and improve business development through easy-to-use mobile and web-based technology, customized implementation and technical support, and a personalized sales toolbox. TrackTik has become the No. 1 software for security experts by driving efficiency and growth through automation and accurate data. For details, visit www.tracktik.com
What Is The GDPR?
The General Data Protection Regulation (GDPR) is a new European data protection law that will take full effect on May 25, 2018. It supersedes the Data Protection Directive (95/46/EC) as well as its national implementations in all European member states, with the primary objective to give individuals back control of their personal information along with simplifying the regulatory environment for international companies.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data, IP address or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR affects both ‘controllers’ and ‘processors’. A controller is the entity that determines the purposes and means of processing personal data, while the processor is an entity which is responsible for processing personal data on behalf of a controller. For the first time, processors now have direct obligations – and not only controllers – including keeping record of processing activities or notifying the controller following data breaches. In the meantime, controllers are required to engage data processors that provide “sufficient guarantees”. TrackTik, in its functions of processor, understands and takes seriously these new data protection requirements. In that sense, this brochure aims to provide general information about the GDPR and describe our position and concrete initiatives in this regard.
What Are The Ten Key Changes Under The GDPR?
|1.||Territorial Scope||The GDPR applies to companies established in the EU, but also to those outside the EU who offer goods or services to EU residents or monitor their behaviour within the EU.|
|2.||Consent||The GDPR introduces a high bar for relying on consent in a sense that it must be freely given, specific, informed and unambiguous, as well as being separate from other terms in clear and plain language. Further, data subjects shall be able to withdraw their consent at any time in a simple manner.|
|3.||Data Subjects’ Rights||The GDPR provides individuals with new and enhanced rights, including a right to data portability, a right to restriction of processing, a right to be forgotten, or a right not to be subject to a decision based solely on profiling, in certain circumstances.|
|4.||Accountability||The GDPR places significant accountability obligations on companies to demonstrate compliance, such as maintaining certain documentation, conducting data protection impact assessment for higher risk activities, or implementing data protection “by design” and “by default” (e.g. data minimisation).|
|5.||Transparency||The GDPR requires companies to provide substantial disclosure companies to data subjects when collecting their personal data, to ensure that their processing activities are fair and transparent.|
|6.||Data Protection Officer||The GDPR imposes a requirement to designate a Data Protection Officer (DPO) where processing involves regular and systematic monitoring of EU residents or where it concerns certain categories data on large scale. The DPO will need to have sufficient expert knowledge.|
|7.||Breach Notification||The GDPR requires controllers to notify a data breach to the relevant supervisory authorities unless it is unlikely to represent a risk to rights and freedoms of the data subjects in question. This must be done without undue delay and, where feasible, within 72 hours of awareness. In some cases, the data controller must also notify the affected data subjects without undue delay.|
|8.||International Data Transfers||The GDPR continues to prohibit data transfers to countries outside the EEA, unless adequate level of protection exists in the destination country. Moreover, the GDPR restates existing transfer mechanisms, such as Standard Contractual Clauses or Binding Corporate Rules, and provides for additional mechanisms, including approved codes of conduct and certification schemes.|
|9.||One Stop Shop||The GDPR enshrines a one stop shop mechanism establishing essentially that companies will mainly be regulated by the supervisory authority where they have their “main establishment”.|
|10.||Sanctions||The GDPR provides supervisory authorities with wide-ranging powers to enforce compliance, including the ability to impose significant fines (up to € 20 million or 4 % of annual worldwide turnover in some cases).|
How Do We Situate Ourselves With The GDPR?
TrackTik acts as a ‘processor’ for the personal data you and your employees are submitting electronically into our software-as-a-service applications. As such, TrackTik processes personal data on behalf of and according to your instructions. You solely determine what personal data is submitted into and processed within TrackTik ’s cloud service and remain the controller at all times. Our processing activities involve securely storing your personal data and processing personal data as necessary to operate, support and maintain our software-as-a-service applications.
TrackTik takes seriously all data protection laws applicable to us in our role of data processor, including the applicable requirements of the GDPR when it takes effect on May 25, 2018. That being said, it is also your responsibility to use our software-as-a-service applications in a manner consistent with your own legal and regulatory obligations.
How Can We Help You to Comply With The GDPR?
TracktTik is aware of your concerns: as data controllers, you are required by GDPR to engage data processors that provide “sufficient guarantees”, in particular in terms of expert knowledge, reliability and resources, to implement appropriate technical and organizational measures which will meet GDPR’s requirements for the protection of the personal information of data subjects.
Tracktik must therefore be able to provide our clients with those guarantees. More than that, Tracktik is committed to facilitate your own journey to GDPR compliance programs and to support you in our position of processor. Here is a sample of our concrete actions in this regard:
Data Subjects Requests. TrackTik offers a suite of configurable features to help customers respond to their employees’ requests to access, correct, delete or restrict their personal data and comply with data portability requests under the GDPR.
Security Measures. TrackTik has implemented various technical and organizational measures designed to protect our customers’ personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. TrackTik’s technical and organizational measures regularly pass rigorous third-party compliance audits for security, confidentiality, availability, processing integrity and privacy controls.
Data Breach Notification. Under the GDPR, our customers, as controllers, must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In the event TrackTik becomes aware of a personal data breach affecting our customers’ personal data, TrackTik will notify our customers without undue delay and assist our customers to meet their data breach notification obligations by providing the relevant information regarding the personal data breach.
You Want To Know More About The GDPR?
GDPR official text: http://data.europa.eu/eli/reg/2016/679/oj
GDPR portal: https://www.eugdpr.org
European Commission, Data Protection: https://ec.europa.eu/info/law/law-topic/data-protection_en
ICO, Guide to the GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
CNIL, Be ready for the GDPR: https://www.cnil.fr/se-preparer-au-reglement-europeen
Please contact us if you have any question or enquiry about this brochure: [email protected]
This document is intended to convey general information only, and should only be used as a starting point in your understanding of issues relating to GDPR. This is not intended as legal advice, nor is it meant to convey legal facts or opinions. The contents of this document should not be relied upon in any particular situation, and the information presented here is not guaranteed to be correct, complete or up-to-date. No action should be taken in reliance on the information found here, and TrackTik disclaims all liability with respect to any acts or omissions based on the contents of this document. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance and GDPR-related issues.