What is the General Data Protection Regulation (GDPR)?
The GDPR is a European Union (EU) Regulation, which comes into effect in all EU Member States on 25 May 2018. The GDPR was envisioned to harmonize the current data protection laws in Europe, which up to now have been implemented differently through the various Member States. It will replace the Data Protection Directive 1995/46/EC and the Data Protection Directive 2002/58/EC for the electronic communication sector, which originally set out the standards for the protection of personal data in the EU.
The European Union’s GDPR is a comprehensive overhaul of data protection legislation and contains new requirements that expand its scope and requires greater transparency from companies when handing personal data. It applies to all EU citizens and so for many global organizations, like Purview, it can have extra-jurisdictional reach if a company’s systems, processes and procedures are global. In that sense, the GDPR has become the new benchmark for personal data protection across the world. And all of this is underpinned by significantly expanded enforcement options for non-compliance. Under the GDPR, EU regulators will be vested with the ability to fine organizations between 2% and 4% of worldwide annual global revenue. The new GDPR law will become enforceable from 25 May 2018, after a two-year transition period, and there is no grace period for compliance after this date.
How is Purview responding to GDPR?
Purview is committed to complying with data protection laws applicable to our business, including the GDPR. We began an evaluation of the requirements under the GDPR earlier in the year in terms of what it means for Purview and its own compliance as well as for any other global organization. Purview has also assessed what GDPR will mean in the context of Purview’s provision of services to our customers to determine where and how we might best support our customers’ own compliance efforts.
Purview has established a comprehensive program of work to address the changes required by GDPR. The program of work incorporates effort across the company, led by Purview’s compliance team, with involvement from the entire set of employees of the company. Where our systems support EU customers, we are applying GDPR so we adhere to the highest quality standards terms of security parameters, confidentiality requirements, access, availability, data integrity and data privacy controls. Further, we are evaluating our policies and procedures across all business functions to ensure they align to our compliance requirements under the GDPR.
What is the impact to Purview customers?
In the provision of our core data center services, we believe that the GDPR does not alter the nature of Purview’s relationship with our customers. However, customers can continue to take comfort from the robust physical security and programmatic measures that Purview has in place together with its data center partners, which provide a secure environment for customers.
There are limited types of personal data from customers and business partners that Purview does obtain, which for the most part are related to business contact information obtained in the context of providing data center services to customers, and in its capacity as data controller. Purview will take all necessary steps to comply with GDPR obligations with respect to such personal data, including taking all appropriate technical and organizational measures and safeguards to protect such personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and against other unlawful forms of processing.
Launch of a Privacy Office
To facilitate GDPR compliance, and to ensure strong and consistent support for data privacy matters within Purview globally, Purview has recently established a Privacy Office to manage data privacy compliance for Purview and to co-ordinate support for customers on data privacy matters. The Privacy Office has cross functional responsibility and is both internal and external facing, working internally across the company, but also acting as a point of contact for data subjects or local regulators to liaise with Purview regarding any data privacy matters, ensuring all applicable information is provided as required and requested.
A Privacy Hub is being developed to assist the Privacy Office to carry out its activities, and to bolster its internal controls to ensure the confidentiality and integrity of the personal data held by Purview. Details of Purview’s personal data processing activities will be retained on the Privacy Hub. It will also be the forum within Purview to manage valid subject access requests made by data subjects and bona fide complaints handling.
How will Purview ensure its staff understand the data privacy requirements in relation to GDPR?
Purview has undertaken an internal communications initiative to raise awareness of GDPR and what it means for Purview, including internal training programs for employees covering security awareness and responsibility. Purview has a Code of Business Conduct on which all Purview employees are informed and trained periodically, and this training will include concepts of data privacy awareness and understanding. The Code of Business Conduct is available on request.
How will Purview comply with GDPR requirements around data breaches?
Purview is supplementing its existing data security breach notification process, its incident management process and its crisis communications plans to ensure full compliance to the GDPR notification requirements in the event of a data security breach involving personal data to ensure Purview can adhere to all applicable time lines for notification.
How does Purview ensure that its sub-contractors and suppliers comply with GDPR?
Purview’s compliance program of work includes outreach to all current system vendors or service providers who handle personal data to ensure compliance with Purview’s own high standards in relation to GDPR. In many cases, these responses will also be supplemented by contractual assurances relating to GDPR compliance.
How does Purview demonstrate GDPR compliance on all transfers of personal data outside of the EU?
GDPR maintains the EU regulatory framework for the trans-border flow of personal data. Purview has applied to be a member of Privacy Shield which deals with its ability to store and maintain EU citizens’ information in its data centers. In certain cases, and it its capacity as data controller, Purview does transfer business contact information of customers and business partners from the EU to the United States and a select group of other countries.
How will GDPR compliance be ensured by Purview going forward?
Purview recognizes that ensuring GDPR standards are embedded in our day to day operations is a key GDPR compliance requirement. GDPR compliance will be applied to any new system or process, any new product or service being developed or against any new supplier engagement, which involves some substantive form of personal data processing. The work of the Privacy Office is key to this on-going compliance effort.
Finally, as GDPR takes effect, rest assured that Purview will be monitoring GDPR enforcement and responding appropriately as the European Commission and local regulators provide advice and direction as to how companies comply with the GDPR. Purview will be continually assessing the impact of GDPR on its business and take the necessary steps to ensure that compliance is maintained going forward.