The EU General Data Protection Regulation (GDPR) is a comprehensive set of rules designed to keep the personal data of all EU citizens collected by any organization, enterprise, or business safe from unauthorised access or use. The GDPR will go into effect on May 25, 2018, and the provisions in the law will greatly affect the way every business transaction involving EU citizens is conducted from that point forward.
Provisions in the GDPR grant the EU the authority to enforce the regulations across international borders. There are no exemptions for size, scope, location, or first offenses. Fail to meet the provisions of GDPR and you will incur penalties.
Organisations that ignore the GDPR are opening themselves up to uncertain liability, substantial risk, and potential financial hardship. The gravity of the GDPR would suggest a prudent course of action is required, including establishing procedures, protocols, and policies that address and meet the requirements of the law.
The stated goal of the GDPR is to protect all EU citizens from privacy and data breaches. To achieve this goal, the GDPR requires a good faith effort from all enterprises and organisations to safeguard personal data collected and/or processed in a transaction.
IPSE, in a concerted effort to comply with the letter and the spirit of the GDPR, has established a set of procedures, protocols, and policies specifically designed to protect all personal data collected during the normal course of business.
The protocols and procedures outlined in this policy will apply to every employee of IPSE without exception. IPSE will operate on the principle that any single data breach is a total data breach; therefore, the protocols and procedures of this GDPR policy will apply to all collected personal data, regardless of whether that data falls under GDPR jurisdiction.
What is personal data?
The GDPR defines personal data in the broadest of terms:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
In practical terms, IPSE will consider any information collected about an individual as a part of a normal business transaction as personal data. The provisions of the GDPR extend to third-party processors of financial services or other cloud-based services, as well.
Access to restricted personal data will be limited to employees and systems designated by job description or security protocol as having the authority to have that access. Systems and employees must provide appropriate authentication credentials before accessing restricted personal data in accordance with established security protocols and policies. No employee or system will be allowed to access restricted personal data without proper authentication credentials.
IPSE has established a clear and concise Data Incident Policy and is prepared to react and counteract any intrusion into the network with a plan of action that will mitigate potential damage and protect vital enterprise data, including personal data as defined by the GDPR. Any detected security breach or other unauthorised access will immediately invoke the provisions and protocols outlined in IPSE Data Incident Policy.
Any information you access when conducting business that pertains to living individuals is covered by the Data Protection Act. More stringent rules apply to personal sensitive data containing information such as a person’s race or ethnic origin, religious beliefs or health
The GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain confusing legal text. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, without any ambiguity of meaning. Furthermore, it must be as easy to withdraw consent as it is to give it.
All statements regarding personal data will be easily accessible from every page on the customer-facing website.
Data subject rights
The GDPR establishes several specific rights applicable to what it calls data subjects (the individual from whom data will be collected by IPSE):
IPSE will notify all data subjects that a security breach has occurred within 72 hours of discovering it. The method of this notification will include as many forms as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
Right to access
IPSE will provide, at the data subject’s request, confirmation as to whether personal data pertaining to them is being processed, where it is being processed, and for what purpose. IPSE will also provide, at the data subject’s request and free of charge, an electronic copy of the personal data being processed.
Right to be forgotten
At the data subject’s request, IPSE will erase their personal data, cease further dissemination of the data, and halt processing of the data. Valid conditions for erasure include when data is no longer relevant to original purposes for processing and when a data subject withdraws consent.
IPSE acknowledges the right of a data subject to receive any previously provided personal data concerning them in a commonly used and machine-readable format. It also acknowledges that the data subject has a right to transmit that data.
Privacy by Design
IPSE shall follow Privacy by Design principles and implement appropriate technical and organisational measures in an effective way to meet the requirements of the GDPR and to protect the rights of data subjects. IPSE will process only the data absolutely necessary for the completion of its business and limit access to personal data to those employees needing the information to complete the consented-to process.
This policy was last updated on 18 May 2018