Insightly's GDPR readiness
What is GDPR?
GDPR, or the General Data Protection Regulation is a new set of EU regulations set to come into force, as a replacement to the existing Data Protection Act. It’s the rules and regulations for personal data protection, and every organization within the EU must comply.
We take data security seriously here at Insightly and have taken stringent measures to ensure customer data is protected, secure, and compliant. Over the years, we have demonstrated our commitment to data privacy by meeting SOC2 Type I and SOC2 Type II standards. With our international customers in mind, Insightly has also taken measures to be EU-US Privacy Shield framework compliant. Regarding GDPR, we will be no different. Insightly has been actively looking into the current regulations, and working towards being fully compliant by the time the regulation comes into effect on May 25, 2018.
What does the GDPR do, exactly?
The GDPR gives EU persons more rights and protections for their personal data. These include:
The right to be informed
Companies must provide certain information, like a privacy notice, and emphasizes transparency over how companies use personal data.
The right of access
Individuals will have the right to ask—and receive an answer—if an organization is processing their data. This information must be provided largely for free within one month of request.
The right to rectification
If a person’s data is incorrect or incomplete, he or she has the right to have it corrected. If you have given third parties that person’s data, you must inform the third party of the correction, and tell the person which third parties have their personal data.
The right to be forgotten
A person may request the removal of his or her personal data in specific circumstances.
The right to restrict processing
Under certain circumstances, an individual can block the processing of his or her personal data.
The right to data portability
A person can get their data for their own use anywhere they like.
The right to object
A person can object to the use of their personal data for most purposes.
What should you do to be GDPR ready?
You should make sure that decision makers and key people in your organization are aware that the laws are changing based on GDPR.
Information you hold
You should document what personal data you hold, where it came from and who you share it with. Best practice would be to organize an information audit.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information
Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments
You should familiarize yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organization.
Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organization operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
GDPR readiness: A shared responsibility
Your customers’ rights as data subjects
A key part of GDPR is letting individuals choose what happens to their personal data. Individuals can ask companies to:
- Access and correct errors
- Delete personal data
- Object to its processing
- Export it
Your role as a data controller
As the data controller, you will determine the personal data we process and store on your behalf. You will also provide privacy notices to individuals who engage with your brands detailing how you collect and use information, and obtain consents, if needed. If those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will respond to those requests.
Our role as a data processor
When we provide software and services to an enterprise, we’re acting as a data processor for the personal data you ask us to process and store as part of providing the services to you. As a data processor, we only process personal data in accordance with your company’s permission and instructions.
GDPR Key Changes - https://www.eugdpr.org/key-changes.html
GDPR FAQs - https://www.eugdpr.org/gdpr-faqs.html