The tools you need to help you prepare for GDPR
At Cendyn Ovations we’ve been working hard to ensure that we are prepared for the upcoming General Data Protection Regulation (GDPR) legislation, and in turn, ensure you are prepared too. To help keep you up to date with this, we’ve outlined how Ovations can help organizations ensure EU individuals’ data is being processed in a compliant and transparent way.
Quick GDPR recap:
The General Data Protection Regulation (GDPR) is comprehensive legislation designed to harmonize data protection law across the European Union (EU). It imposes new regulations for organizations who engage with individuals in the EU, expands individuals’ rights with respect to the processing of their personal data and mandates data security measures appropriate to the risk of processing personal data. It also includes tougher enforcement for violations of the rules. GDPR became effective on May 25, 2018. As a reminder, even if your organization is located outside of the EU this legislation still applies as it covers entities that collect data of EU citizens, regardless of a physical presence in the EU.
To help you prepare and set your organization up for success, the following should be key items on your checklist to understand and put in place for your company.
Check your database for legal grounds to process data:
Data controllers must have a valid lawful basis to process personal data. Here are the six legal grounds for processing legal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
How to check for legal grounds to process data:
Ask the following questions during your check:
- Has the customer explicitly agreed for you to process their personal data?
- Do these individuals fall under any of the other legal grounds for consent? (as listed above)
For anyone in your database not covered by the legal grounds to process data, as listed above, you will need to obtain consent to contact them as well as to store their information in the database.
Ovations’ customizable configurations enables organizations to securely manage their customer data through a variety of data retention settings, meeting any organizations compliance standards.
Set up your database for longevity:
To ensure your database is maintained to cover all legal grounds for consent to process data, we recommend organizations implement policies for data storage and retention of the data. Determine your company’s data retention policy and setup a process to ensure the data is retained according to policy. It’s also a good practice to make your privacy policy visible and accessible. We recommend adding a link to your privacy policy anywhere you provide the option for individuals to sign up. This will emphasize your commitment to transparency and accountability for how you process data.
Handle individual data requests:
GDPR expands individuals’ rights in the EU with respect to the processing of their personal data and mandates data security measures appropriate to the risk of processing personal data. It provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Cendyn Ovations provides organizations with the tools necessary to process any of these types of requests. As a data controller (organization), it is the organization’s responsibility to report the request with the data processor (Cendyn Ovations). The organization can submit a request to privacy@cendyn.com, following receipt of that request, Cendyn Ovations will process and update the organization on the status and completion of the request for auditing purposes.
Maintain accountability:
Cendyn Ovations, in collaboration with the leading data privacy management company, TrustArc, worked together to ensure that Ovations was GDPR compliant by May 25, 2018. Cendyn Ovations has an exceptional privacy and security track record with customers’ data and has been actively preparing for GDPR since 2016. Cendyn is Privacy Shield certified, CASL and PDPA compliant, as well as PCI certified. Cendyn Ovations is also SOC II certified and currently in process to be ISO certified.
As a data processor, Cendyn Ovations is prepared to support customers in their own GDPR compliance as data controllers by:
- Securely and confidentially storing and processing data until it is safely returned or destroyed
- Supporting customers’ obligations as data controllers during auditing or consumer rights requests
- Implementing necessary technical solutions such as consent mechanisms and retention of evidence
- Providing Article 30 reporting to DPA or clients upon request