SECURITY ● MAY 26, 2018
Making things personal: GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in European law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside Europe. Fines for violating GDPR can go up to 4% of a company’s total revenues. Multiple countries such as China have also just announced to follow suit.
We, at Atidiv have taken multiple steps to be GDPR compliant, something which has definitely kept us up for the last few months. This has enabled us to work on processes that handle people data in the European Union.
Who does the GDPR apply to?
The GDPR changes apply particularly to two types of entities:
1. Data controllers: organizations who collect data from EU residents
2. Data processors: organizations who process data on behalf of the data controllers
Under these definitions, Atidiv falls under the Data Processor category, i.e. processing data on behalf of clients. GDPR also applies to organizations outside of the EU if they collect or process personal data of individuals located inside the EU.
What is personal data?
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); This relates to any data which points to or is associated with a particular person e.g firstname.lastname@example.org is personal data, email@example.com is not personal since it doesn’t point to a particular person.
How does this affect your partnerships?
Your partner processes data on your behalf and hence your partner is affected by GDPR, being a data processor.
How is Atidiv ensuring GDPR compliance?
We have invested heavily in security measures and data protection to ensure our client’s have a comfortable and personalized experience while working with us. Our teams are working diligently to ensure we understand our customers better. Atidiv strives to provide a smooth customer experience at all touchpoints.
Being compliant with GDPR has multiple steps, which we have undertaken in the last few months:
1. Identification: Sifting through client data sources to identify Personal Identifiable Information (PII)
2. Data Protection Impact Assessment (DPIA): Conducting audits for clients to evaluate risks and concerns with respect to data protection
3. Mitigation plan: Based on any red flags involved while conducting a DPIA, creating a plan to minimize security threats
4. Data Encryption: Ensuring personal data is encrypted when being transmitted across any medium
5. Appointment of Data Protection Officer (DPO): Data protection officers are responsible for overseeing data protection policies and ensuring compliance with GDPR norms
6. Incident reporting mechanism: Devising a methodology to constantly track any detection and reporting it
7. Declaration: Having a mechanism in place to report breaches to a supervisory authority and the client, within 72 hours of detection
8. ISO compliance: We are now ISO27001 compliant, the highest ISO security certification. This helps us have adequate checks and balances in place to reinforce compliance with GDPR
Regardless of any regulatory requirements, we continue to ensure data protection. With ISO & GDPR compliance, clients can trust Atidiv with their most sensitive data.