Suvoda and GDPR Readiness

What Steps Have We Taken to Get Ready for GDPR?

On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) takes effect and will have an impact on anyone who controls or processes personal data of EU citizens and individuals residing in the EU. Since many of Suvoda’s clients and users are EU citizens, we must comply with various GDPR requirements.

This article provides an overview of the steps we have taken to get ready for GDPR and explains our efforts to live up to the spirit and requirements of the GDPR.

As an interim step to GDPR compliance, Suvoda became Privacy Shield framework certified in January 2018. The Privacy Shield framework was designed by the US Department of Commerce, the European Commission, and Swiss Administration, respectively, to provide a mechanism for US companies working with EU citizens to comply with data protection requirements when transferring their personal data from the EU and Switzerland to the US.

As part of the Privacy Shield framework certification process, we updated both our IRT Privacy Policy and Terms of Use and our Suvoda.com website Privacy Policy. These documents were updated to comply with the principles of Privacy Shield and to provide greater transparency to users on how to manage their personal data. We are committed to re-certifying with Privacy Shield on an annual basis following a comprehensive assessment of our Privacy Policies and Terms of Use.

Suvoda as a Data Processor

According to the GDPR, the relationship between the processor (Suvoda) and controller (our clients), as well as the nature and type of data processing, need to be made in writing. This is where Suvoda’s Master Services Agreements (MSA) / services contracts, and Data Processing Agreements with our clients come into play. These documents serve to set out the instructions our clients give Suvoda with respect to the processing of personal data that they control, and to establish the rights and responsibilities of both parties. If you believe that your existing MSA / services contract with Suvoda needs to be updated as a result of the GDPR, please contact your Suvoda sales representative directly or contact Suvoda’s Data Privacy Officer at privacy@suvoda.com.

Data Processing Agreements

Suvoda will only process data based on instructions from our clients, and we are diligently working to put in place GDPR-compliant Data Processing Agreements with our third-party suppliers (where needed), so that we ensure they are held to the same GDPR-compliant data processing standards.

Data Transfers outside the EU

Suvoda will move its production data operations from the US to ISO 27001 compliant data centers in the EU to provide additional assurance to our EU clients that they will receive a level of protection envisioned by the GDPR. If you are a client of Suvoda, you would have already received a notice with details on the data center migration. Where production data is processed by a third-party supplier outside the EU, we will ensure that they have either certified under the EU-US / Swiss-US Privacy Shield framework or signed GDPR-compliant Data Processing Agreements with us (see Data Processing Agreements section above) or with our clients.

Suvoda as a Data Controller

Additionally, Suvoda acts as the data controller for the personal data we collect about users of our Suvoda.com website. It is important to understand that as a data controller we only process data for legitimate business purposes as described in the Suvoda.com website Privacy Policy. We are currently working to improve the way users consent to the use of their data on the Suvoda.com website so that users are required to acknowledge their consent to the Privacy Policy prior to submitting data.

Additional Controls

Suvoda is a company with offices in the EU, and as such we are well-versed in the impact that the GDPR will have on multi-national businesses like those of our clients. We are committed to implementing and improving both our technical and procedural controls in line with the GDPR to safeguard the personal data we control and process.

---

A big part of GDPR compliance is about having controls in place to ensure that the flow of personal data through our processes and systems is mapped and auditable. We are updating our internal processes to ensure we understand and document which third-party suppliers process personal data and the type of personal data they process. We also have processes in place to ensure that access to personal data is documented and strictly limited to only those requiring access. Additionally, we are updating internal processes to ensure that we can respond to requests from data subjects to delete (right to be forgotten), change or receive copies of their personal data within the timeframe specified by GDPR. All of this is supported by training efforts within the company so that the GDPR compliant processes we’ve put in place are followed. Data privacy and security are an essential part of our training program, and each employee receives new hire training and re-training at least annually on these processes.

We will continue to revise and improve our IRT Privacy Policy and Terms of Use and Suvoda.com Privacy Policy as needed throughout this process to increase transparency and make sure these critical documents meet the requirements of the Privacy Shield framework and the GDPR.