Compliance with GDPR
By: Sue Diltz, CIO/Chief Security & Privacy Officer
The European Union’s (EU) General Data Protection Regulation (GDPR), effective 25 May, 2018, enhances the security of personal information of citizens and residents of the EU countries as well as Norway, Iceland and Lichtenstein. The unified standard also will cover UK citizens and residents post-Brexit. It’s hard to imagine a company or industry offering goods or services in Europe that won’t be affected by these detailed personal data protection requirements.
Speaking for Graebel, I welcome the new regulations. They’re rigorous but reasonable and consistent with the spirit of security and transparency in which we’ve handled personal information in the past, not only in Europe but around the globe.
In general, the GDPR builds on the EU’s previous privacy standards – the 1995 Data Protection Directive. It expands and clarifies those requirements in areas including:
- Territorial Scope – It will apply to all organisations with access to the personal information of residents of these countries regardless of where the company is based
- Penalties – The new structure of fines is graduated and capped. Maximum fines are larger than in the past.
- Consent – Consent forms must be clear and succinct with minimal “legalese”
- Rights of Individuals:
- Breach notification – They must be notified within 72 hours of the discovery of a breach of their information
- Right to Access – They may request information about their personal data maintained by the organisation
- “Right to be Forgotten” – They can request the organisation erase their personal information
- Data Portability – They can retrieve their information and share it with another entity
- Privacy by Design – Personal information security must be a component of the initial design of any systems that use or hold such data.
- Data Protection Officers – Organisations must appoint a Data Protection Officer if their personal information processing activities exceed a certain threshold.
For more on these issues, you can go right to the source and review the EU’s material, including a useful summary of the requirements.
GDPR and Mobility
As a Relocation Management Company (RMC), we’re entrusted every day with basic personal identifier information for transferees and assignees. And in cases of immigration and other functions, we may require and store personal information that’s even more sensitive – related for example to citizenship, gender, marital status and even place of birth. Protecting this information is critical.
And our GDPR obligations extend to each of the partner companies and service providers with whom we share this information as they work on behalf of our customers. That’s one of the reasons we carefully screen our global service partners – the companies that handle specific relocation services from household goods management to immigration and tax support. We not only must ensure they’re taking excellent care of our customers, we must verify they have proper systems in place to protect confidential personal information.
The European Relocation Association (EuRA) has released an extensive review of the key provisions of the GDPR from the perspective of the Mobility industry.
Graebel is Ready
Following the adoption of the GDPR in April 2016, Graebel created a cross-functional Assessment team and began the process of updating our policies and procedures to integrate the new requirements. Since that time, we’ve taken the following steps, which will be completed by 25 May:
- Retained a third party (TrustArc) to perform a prioritised Gap assessment to identify steps we needed to take
- Conducted a data inventory and business process maps to address GDPR Article 30
- Identified all external-facing applications that collect data and then created related privacy notices
- Documented our processes as a Data Controller and a Data Processor to address GDPR Article 30.1
- Developed custom code for our cookie notices/consent process
- Validated our records retention policy to align with GDPR Articles 5/25
- Updated our Incident Response Plan to ensure notification processes are in place for individuals and authorities in accordance with GDPR Articles 32/33
- Developed a process and plan for the Data Privacy Impact Assessments to address GDPR Article 6.4
- Updated our client and supplier contracts to address GDPR Article 30
- Developed employee training to prepare teams for their specific responsibilities related to the GDPR requirements
- Created internal processes to support the individual rights elements of GDPR related to Articles 15/17/20
- Developed an annual testing plan of our GDPR Compliance Programme, including Breach Notification
Again, we congratulate the EU countries on the thoughtful way they’ve drafted these new regulations. Yes, preparing for this has been a lot of work for us and other RMCs. But our processes are the better for it since the requirements are based on a very defensible approach to protecting individual privacy.
Here’s to the World Ahead!