GDPR Ready

What is GDPR

GDPR stands for General Data Protection Regulation also referred to as Regulation (EU) 2016/679. GDPR replaces the existing protection directive that was introduced in 1995 and has been created by the European Parliament, the Council of the European Union and the European Commission to strengthen and unify data protection for all residents of the European Union.

Additionally, GDPR addresses data protection rules for personal data export outside of the European Union. It also enforces EU data protection laws to guide foreign organisations that process personal data pertaining to residents of the European Union.

GDPR will:

  • Increase privacy and extend data rights for EU residents.
  • Help EU residents understand personal data use.
  • Address the export of personal data outside of the EU.
  • Give regulatory authorities greater powers to take action against organisations that breach the new data protection regulations.
  • Simplify the regulatory environment for international business by unifying data protection regulations within the European Union.
  • Require every new business process that uses personal data to abide by the GDPR data protection regulations and Privacy by Design rule.
GDPR

GDPR main action points.

  1. ‘Right to be forgotten’ – also known as Data Erasure. EU residents will have the right to request that personal data relating to them is erased. This could be based on a number of grounds that include non-compliance, data no longer being relevant to its original purposes, or data subjects withdrawing consent.
  2. ‘Right to access’ – Data subjects will have the right to obtain confirmation from the data controller whether or not their personal data concerning them has been processed, where it has been processed and for what purpose.
  3. Data Breach notifications will become mandatory in all member states – in the instance that the data breach is likely to “result in risk pertaining to the rights and freedoms of individuals.
  4. Consent rules are changing and opt-in requirements for obtaining personal data are stricter. The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese. Organisations are required to ensure that consent is clear, distinguishable and provided in an easily accessible form with the purpose of the data processing disclosed and attached to the consent. It must be just as easy to withdraw consent as it is to give it.
  5. ‘Privacy by Design’ – Now part of a legal requirement with the GDPR, Privacy by Design calls for the inclusion of data protection from the onset of the designing of systems, instead of just being an addition.
  6. Data Controllers and Data Processors will be required to conduct privacy risk impact assessments for projects that have high privacy risks.
  7. Data processing activity notification rules are changing. Under GDPR it will no longer be necessary for Data Controllers to submit notifications / registrations of data processing activities to local Data Protection Officers. In addition, it will no longer be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). This will be replaced by an internal record keeping requirement. There is an exception to this, which is explained in the Data Protection Officer section further into this document.
  8. The new Accountability Principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

Updated Splashaccess

SplashAccess has been busy of the adding extra functionality into its products and have the following information below to answer some of the questions we have been asked over the past few months regarding GDPR.

  1. All Data is Stored here in the UK.
  2. Data is segmented into client instances.
  3. SplashAccess Servers are behind a Managed Firewall.
  4. Multiple Servers Dedicated to Web and Data.
  5. DC Full Accredited.
  6. Encrypted data storage of personal data.
  7. Encrypted Data Exports.
  8. Full Detailed Audit Log.
  9. Update Splash Page with clear opt-in
  10. Update Data and Privacy policy.
  11. Clarification of Data Usage on client page.
  12. The Ability for a user  to update/ Remove / Delete
  13. The right to be forgotten built into all accounts .
  14. External Third Party Penetration testing.
  15. Data Notification Updates on SplashAcecss

We will update this section further as we move closer to to the implantation date.

 
Splash GDPR mobile