GDPR Compliance: Everything You Should Know and More

What is GDPR Compliance

Alex
Alex

What is GDPR Compliance

GDPR Compliance: Let’s talk about it.

In the last 20 years, the global economy became increasingly digitized, and many companies hold highly sensitive and personal customer information obtained from various sources. Data is associated with a significance of risk if it’s stolen or abused.

What is GDPR Compliance?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union.

General Data Protection Regulation was officially adopted by the European Parliament in April 2016 to specify how customer data should be used and protected. Following a two-year post-adoption period it will become enforceable in May 2018. GDPR will replace the 1995 EU Data Protection Directive, which was introduced two decades ago when the Internet has not yet revolutionized business communications.

The Impact of GDPR Compliance

GDPR is applicable extraterritorially to all parties involved in selling goods and services to EU citizens and processing their personal data, regardless of whether the organization is registered or operating within the EU, including companies on other continents. As an IT or cybersecurity professional, you must learn how to address major data protection requirements and make sure that software vendors you collaborate with are 100% GDPR compliant.

If data privacy infringement is committed, GDPR allows fines to be issued for violators, up to a maximum of either €20 million or 4% of the worldwide turnover, whichever is greater.

At SpinOne we welcome the General Data Protection Regulation (GDPR) enforcement for B2B markets as it is individuals who handle business relationships. We are confident that GDPR compliance will help SpinOne demonstrate that it has a high level of cyber security expertise and management when storing, encrypting, backing up, and securing our customer confidential data.

GDPR Overview. Why Important for Personal Data Protection?

It should be noted that seven essential requirements have been determined by GDPR to address personal data processing control issues.

7 core citizen rights afforded under GDPR requirements for personal data protection

  1. Consent. In obtaining consent for data use, companies cannot use indecipherable terms and conditions filled with legalese. It must be as easy to withdraw consent as it is to give it.
  2. Breach Notification. In the event of a data breach, data processors have to notify their controllers and customers of any risk within 72 hours.
  3. Right to Access. Individuals have the right to obtain confirmation from the data controller of whether their personal data is being processed. The data controller is obliged to provide an electronic copy for free to data subjects.
  4. Right to be Forgotten. When data is no longer relevant to its original purpose, data subjects can have the data controller erase their personal data and cease its dissemination.
  5. Data Portability. Allows individuals to obtain and reuse their personal data for their own purposes by transferring it across different services.
  6. Privacy by Design. Calls for the inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.
  7. Data Protection Officers. Professionally qualified officers must be appointed in public authorities or organizations that engage in large-scale (companies with more than 250 employees) systematic monitoring or processing of sensitive data.

Below is a brief introduction to six key GDPR principles and how SpinOne follows the GDPR requirements.

Fairness and Transparency.

Organizations must always process personal data lawfully, fairly, and in a transparent manner.

SpinOne, based on its professional expertise, experience, best practices, and customer feedback, has developed these Terms of Service and Privacy Policy, which transparently and accurately describe the conditions of obtaining, storage, and processing of personal data relating to the users of SpinOne’s service. As of May 25, 2018, this Privacy Policy will be updated according to the GDPR requirements. SpinOne will offer its customers the right to choose a geographic location of their data storage upon installation of SpinOne’s application. This feature allows European customers the choice of storing their data at the European data center of Amazon, located in Dublin.

Purpose Limitation

Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.

Upon customer registration, SpinOne introduces the customers to the Terms of Service and Privacy Policy. By clicking the “I AGREE” button, the customer confirms that they understand the Terms of Service, along with what information is obtained, stored, and processed, and for what purpose. Additionally, by clicking the “I AGREE” button, the customer accepts these terms.

Data Minimization

Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.

The information stored in the G Suite profile is the primary data source for SpinOne. This data will be retained by SpinOne only for the purpose of correctly displaying information about the users.

Accuracy

Personal data must be accurate and kept up to date when necessary.

SpinOne automatically updates data every time a user updates their data in the Google profile. There is no other way to change or update information in SpinOne’s system.

Data Deletion

Personal data must be kept only for as long as it’s needed to fulfill the original purpose of collection.

SpinOne stores customer data only as long as it is needed to provide quality service to its customers. Any customer data that a customer leaves behind will be automatically deleted by SpinOne after 30 days, which is when the licenses expire.

Additionally, SpinOne can delete data upon a customer’s request, if such a request meets the GDPR requirements and other legal acts.

Security

Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required to help protect personal data.

SpinOne employs a professional team of technical and cybersecurity specialists. The experience of SpinOne’s team allows it to provide a cutting-edge service built on the  “privacy by design” and “privacy by default “principles.

Compliance

A data controller is responsible for implementing measures to ensure that the personal data it controls are handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors), and using the principles of “privacy by design” and “privacy by default.” Additionally, a data controller must be able to demonstrate compliance, including keeping a record of processing activities and conducting privacy impact assessments.

SpinOne’s GDPR Compliance

Recognizing the importance of GDPR compliance, SpinOne applies G Suite Security best practices, international standards, and follows legal requirements when building an Information Security Management System (ISMS) within the company. We incorporate the highest security standards into every phase of SpinOne’s software development process, from the outset to completion. SpinOne employs the highest security and privacy controls, audited regularly in our SOC 2 reports. SpinOne’s cutting-edge services are driven by a collaborative effort with leading cloud service providers such as Amazon, Google, and Microsoft, whose reliability is globally recognized. SpinOne follows the recommendations provided by ISO/IEC 27002 to ensure that the information security controls are implemented in SpinOne.

Learn more on the decisive role of CASB (Cloud Access Security Broker) in securing your data!