GENERAL DATA PROTECTION REGULATION READINESS
On May 25, 2018, the European Commission's General Data Protection Regulation (GDPR) went into effect. The regulation is designed to give EU citizens greater control over their personal data and contains significant changes to European data privacy legislation that affects any company offering goods or services to EU citizens, as well as companies who process their personal data.
At Dynamic Signal, our customers can trust that we have and will continue to make GDPR compliance a priority. We have developed accountability and other measures within our organization to demonstrate that the Dynamic Signal platform is GDPR-ready, and we will continue to devote significant effort and resources to maintain this readiness for the future. Below describes what GDPR is, and what Dynamic Signal has done to demonstrate GDPR readiness.
What is GDPR?
The GDPR is an EU comprehensive data protection law that strengthens personal data protections in a time of continuous and rapid technological developments, increased globalization and cross-border flows of personal data. It replaces the individual national data protection laws in EU member states with a single set of regulations that is enforceable throughout the EU.
What does GDPR regulate?
GDPR regulates the "processing" of data for EU individuals – including collection, tracking, storage, transfer or use. Any organization that processes personal data of EU individuals is responsible to comply with GDPR regardless of whether or not the organization has a physical presence in the EU. GDPR expands the definition of "personal data" broadly and covers any information related to an identified or identifiable individual (a "data subject" in the regulation).
How does GDPR change privacy rights?
GDPR changed privacy rights in the following ways (summary, not exhaustive):
- Details expanded privacy rights for EU individuals including data breach notifications and additional security requirements for organizations
- New customer profiling and monitoring requirements
- Up to 20M Euros or 4% global revenue fine for organizations that fail to adhere to GDPR compliance obligations
- Establishes a central point of enforcement through supervisory authorities appointed in each country coordinated by the European Data Protection Board
Dynamic Signal's GDPR Compliance Overview
Dynamic Signal began our GDPR journey in 2017 by partnering with Navigant Consulting, an independent specialty consulting firm whose professional services include dispute, investigative, economic, operational, risk management technology, financial and regulatory advisory solutions. Navigant has a specialty in regulatory compliance and privacy. The Navigant team consists of privacy consultants who formerly worked for the European Data Protection Supervisor's office and the Federal Bureau of Investigation. The readiness program contains privacy management activities that map directly back to the articles set forth in GDPR and align with guidance provided by EU data protection authorities, as outlined below.
Download Navigant's Becoming GDPR Ready guide
- Privacy Shield – Having ensured that our internal policies and practices conform to the Privacy Shield principles (www.privacyshield.gov), we have self-certified with the EU-U.S. and Swiss-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce. Also, as we provide for in our Data Protection Addendum, if Privacy Shield is no longer recognized as a legitimate basis for the transfer of Personal Data outside the EU, then we offer to our customers the EU Standard Contractual Clauses for such transfers.
- Data Privacy Impact Assessments (DPIAs) – We completed and will continue to assess the DPIA for our platform, and are evaluating other internal processes for the need to conduct DPIAs where those processes are high-risk to data subjects. Such DPIAs are conducted based on the requirements in Article 35 of the GDPR. Our DPIA process and template takes into account guidance form the CNIL (French Data Protection Authority) and guidance from the Article 29 Working Party.
- Data Security – Dynamic Signal is continuing to enhance policies and procedures to help minimize risks of improper use or protection of personal data, including information security, incident response and disaster recovery plans.
- Data Subject Rights – We developed and will continue to enhance policies and procedures so Dynamic Signal, and our customers, can extend rights of access, erasure, portability, right to be forgotten, and similar privacy rights where required to data subjects. For example, we developed new procedures to handle Article 12 data subject requests and a process for the deletion and anonymization of personal data to legitimate requests for erasure.
- Vendor Compliance Maintenance – We are enhancing procedures and supporting documentation to assess vendors and procurement processes, including securing appropriate data protection and similar agreements with our vendors who handle personal data on our behalf.
- Privacy By Design– For new products and enhancements, we areproactively applying the Data Protection by Design principles.
- Data Inventory– We have developed and will continue to evaluate a registry of personal data holdings, including a record of processing activities, and relevant attributes such as the type of personal data, owner of the data, and basis for processing the data.
- Data Security– In addition to enhancing policies and procedures to help minimize risks of improper use or protection of personal data, we are also enhancing our security practices and protocols. For instance, we are conducting an SSAE 16 SOC2 internal audit in addition to our already SOC2 compliant data centers. We encrypt all platform data in transit and all backups. Our data logs are retained for 90 days and we delete all data at the end of our customer contract within 90 days from termination of the contract.
- Data Protection Officer (DPO)– Dynamic Signal has appointed David Manek, CIPP/E, CIPM, from Navigant Consulting, to serve as its interim third-party DPO under the GDPR, with direct access to our executives. This provides an extra layer of governance and oversight for any data privacy concerns.
- Privacy Office – We have formed a Privacy Office and internal department liaisons who serve as the stewards of privacy going forward for Dynamic Signal, including members of our legal, architecture, security and customer success teams.
- Employee Training– We have provided and will continue to provide all our employees with GDPR training to ensure that all employees approach each facet of their work with privacy in mind.