PREPARING FOR THE GENERAL DATA PROTECTION REGULATION
On May 25, 2018, the European Commission’s General Data Protection Regulation (GDPR) will go into effect. The regulation is designed to give EU citizens greater control over their personal data and contains significant changes to European data privacy legislation that affects any company offering goods or services to EU citizens, as well as companies who process their personal data.
At Dynamic Signal, our customers can trust that we have and will continue to make GDPR compliance a priority. We are committed to ensuring that the Dynamic Signal platform is GDPR-ready by May 25, 2018, and we have devoted significant effort and resources to maintain this readiness for the future. Below describes what GDPR is, and what Dynamic Signal is doing to be ready.
The Road to GDPR Compliance
What is GDPR?
The GDPR is an EU comprehensive data protection law going into effect May 25, 2018 that strengthens personal data protections in a time of continuous and rapid technological developments, increased globalization and cross-border flows of personal data. It replaces the individual national data protection laws in EU member states with a single set of regulations that is enforceable throughout the EU.
What does GDPR regulate?
GDPR regulates the “processing” of data for EU individuals – including collection, tracking, storage, transfer or use. Any organization that processes personal data of EU individuals is responsible to comply with GDPR regardless of whether or not the organization has a physical presence in the EU. GDPR expands the definition of “personal data” broadly and covers any information related to an identified or identifiable individual (a “data subject” in the regulation).
How does GDPR change privacy rights?
GDPR changes privacy rights in the following ways (summary, not exhaustive):
Details expanded privacy rights for EU individuals including data breach notifications and additional security requirements for organizations
New customer profiling and monitoring requirements
Binding corporate rules to legalize transfers of personal data outside the EU
Up to 20M Euros or 4% global revenue fine for organizations that fail to adhere to GDPR compliance obligations
Dynamic Signal’s security and privacy efforts ensure that our platform complies with GDPR. While every company should assess their own data privacy practices, we currently anticipate that there are no additional requirements as it pertains to our customers’ employees’ use of Dynamic Signal.
Dynamic Signal’s GDPR Compliance Overview
Dynamic Signal began our GDPR journey in 2017 by partnering with Navigant, an independent specialty consulting firm whose professional services include dispute, investigative, economic, operational, risk management technology, financial and regulatory advisory solutions. Navigant has a specialty in regulatory compliance and privacy. The Navigant team consists of privacy consultants who formerly worked for the European Data Protection Supervisor’s office and the Federal Bureau of Investigation. The readiness program contains privacy management activities that map directly back to the articles set forth in GDPR and align with guidance provided by EU data protection authorities, as outlined below.Download Navigant’s Becoming GDPR Ready guide
Privacy Shield – Having ensured that our internal policies and practices conform to the Privacy Shield principles (www.privacyshield.gov), we are self-certifying with the EU-U.S. and Swiss-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce. Also, as we provide for in our Data Protection Addendum, if Privacy Shield is no longer recognized as a legitimate basis for the transfer of Personal Data outside the EU, then we offer to our customers the EU Standard Contractual Clauses for such transfers.
Data Privacy Impact Assessments (DPIAs) – We are completing a DPIA for our platform and evaluating other processes for the need to conduct DPIAs where those processes are high-risk to data subjects. Such DPIAs are conducted based on the requirements in Article 35 of the GDPR. Our DPIA process and template takes into account guidance form the CNIL (French Data Protection Authority) and guidance from the Article 29 Working Party.
Data Security – Dynamic Signal is enhancing policies and procedures to help minimize risks of improper use or protection of personal data, including information security, incident response and disaster recovery plans.
Data Subject Rights – We are enhancing and developing policies and procedures so Dynamic Signal, and our customers, can extend rights of access, erasure, portability, right to be forgotten, and similar privacy rights where required to data subjects. For example, we are developing new procedures to handle Article 12 data subject requests and a process for the deletion and anonymization of personal data to legitimate requests for erasure.
Vendor Compliance Maintenance – We are enhancing procedures and supporting documentation to assess vendors and procurement processes, including securing appropriate data protection and similar agreements with our vendors who handle personal data on our behalf.
Privacy By Design– For new products and enhancements, we will proactively apply the Data Protection by Design principles.
Data Inventory– We are developing a registry of personal data holdings, including a record of processing activities, and relevant attributes such as the type of personal data, owner of the data, and basis for processing the data.
Data Security– In addition to enhancing policies and procedures to help minimize risks of improper use or protection of personal data, we are also enhancing our security practices and protocols. For instance, we are conducting an SSAE 16 SOC2 internal audit in addition to our already SOC2 compliant data centers. We encrypt all platform data in transit and all backups. Our data logs are retained for 90 days and we delete all data at the end of our customer contract within 90 days from termination of the contract.
Data Protection Officer (DPO)– Dynamic Signal has appointed David Manek, CIPP/E, CIPM, from Navigant Consulting, to serve as its interim third-party DPO under the GDPR, with direct access to our executives. This provides an extra layer of governance and oversight for any data privacy concerns.
Privacy Office – We have formed a Privacy Office and internal department liaisons who serve as the stewards of privacy going forward for Dynamic Signal, including members of our legal, architecture, security and customer success teams.
Employee Training– We have provided and will continue to provide all our employees with GDPR training to ensure that all employees approach each facet of their work with privacy in mind.
For more information, please contact your Dynamic Signal Customer Success Manager