What Steps Have We Taken to Get Ready for GDPR?
On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) takes effect and will have an impact on anyone who controls or processes personal data of EU citizens and individuals residing in the EU. Since many of Suvoda’s clients and users are EU citizens, we must comply with various GDPR requirements.
This article provides an overview of the steps we have taken to get ready for GDPR and explains our efforts to live up to the spirit and requirements of the GDPR.
As an interim step to GDPR compliance, Suvoda became Privacy Shield framework certified in January 2018. The Privacy Shield framework was designed by the US Department of Commerce, the European Commission, and Swiss Administration, respectively, to provide a mechanism for US companies working with EU citizens to comply with data protection requirements when transferring their personal data from the EU and Switzerland to the US.
Suvoda as a Data Processor
According to the GDPR, the relationship between the processor (Suvoda) and controller (our clients), as well as the nature and type of data processing, need to be made in writing. This is where Suvoda’s Master Services Agreements (MSA) / services contracts, and Data Processing Agreements with our clients come into play. These documents serve to set out the instructions our clients give Suvoda with respect to the processing of personal data that they control, and to establish the rights and responsibilities of both parties. If you believe that your existing MSA / services contract with Suvoda needs to be updated as a result of the GDPR, please contact your Suvoda sales representative directly or contact Suvoda’s Data Privacy Officer at firstname.lastname@example.org.
Data Processing Agreements
Suvoda will only process data based on instructions from our clients, and we are diligently working to put in place GDPR-compliant Data Processing Agreements with our third-party suppliers (where needed), so that we ensure they are held to the same GDPR-compliant data processing standards.
Data Transfers outside the EU
Suvoda will move its production data operations from the US to ISO 27001 compliant data centers in the EU to provide additional assurance to our EU clients that they will receive a level of protection envisioned by the GDPR. If you are a client of Suvoda, you would have already received a notice with details on the data center migration. Where production data is processed by a third-party supplier outside the EU, we will ensure that they have either certified under the EU-US / Swiss-US Privacy Shield framework or signed GDPR-compliant Data Processing Agreements with us (see Data Processing Agreements section above) or with our clients.
Suvoda as a Data Controller
Suvoda is a company with offices in the EU, and as such we are well-versed in the impact that the GDPR will have on multi-national businesses like those of our clients. We are committed to implementing and improving both our technical and procedural controls in line with the GDPR to safeguard the personal data we control and process.
A big part of GDPR compliance is about having controls in place to ensure that the flow of personal data through our processes and systems is mapped and auditable. We are updating our internal processes to ensure we understand and document which third-party suppliers process personal data and the type of personal data they process. We also have processes in place to ensure that access to personal data is documented and strictly limited to only those requiring access. Additionally, we are updating internal processes to ensure that we can respond to requests from data subjects to delete (right to be forgotten), change or receive copies of their personal data within the timeframe specified by GDPR. All of this is supported by training efforts within the company so that the GDPR compliant processes we’ve put in place are followed. Data privacy and security are an essential part of our training program, and each employee receives new hire training and re-training at least annually on these processes.
If you have any questions regarding the steps we are taking to achieve GDPR compliance as a data processor or controller, please contact Suvoda’s Privacy Officer at email@example.com.