The General Data Protection Regulation (GDPR) will come into force on May 25th, 2018 in the European Union. The regulation contains rules related to the protection of individuals regarding the processing and transfer of personal data.
The full text of the regulation can be found at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679
WHY THE GDPR? REPLACING OUTDATED EU REGULATION
Currently, EU organisations are complying with the Data Protection Directive 95/46/EC. This EU regulation related to data privacy dates back from 1995. As a directive, it provided a large amount of leeway to each member state so that they could create national data protection laws to account for local specificities and preferences. As a consequence, regulations related to personal privacy currently vary from one EU country to another, which makes compliance difficult for companies that operates in several countries.
The GDPR intends to harmonize rules related to the collection and processing of personal data within the EU. It also reinforces protection for individuals while accounting for necessary changes in light of the digital transformation that occurred in recent years. The rise of cloud computing and the ever-growing importance of social media are two key factors in this change. With the GDPR, all EU member countries will need to comply with the same rules regarding data privacy starting on May 25th, 2018.
The new GDPR is a regulation, and therefore has full force of law within the EU. Companies cannot “opt out” of complying with the regulation.
WHAT IS CONSIDERED “PERSONAL DATA” UNDER THE GPDR?
Personal data is all data that relates to an identified or identifiable individual. The following items are examples of personal data:
- First and last name
- A phone number
- A home address
- A person’s nationality or gender
- Banking information
- Health information
- Data on personal interests or orientations
- An e-mail address in the form firstname.lastname@example.org
- Behavioral data, for instance on a website
A specific type of data is further considered as “sensitive data”, which includes medical data, data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, or genetic and biometric data (for instance fingerprints).
HOW DOES STILOG COMPLIES WITH REQUIREMENTS OF THE GDPR?
Good news – most of the requirements of the GPDR were already in place at Stilog for several years. We have taken the time to formalize, complete and adapt our policies wherever necessary.
The only data that we collect and store is data that you (our customers, prospects and partners) provide us freely and knowingly: for instance, your contact information in an information request form. We do not collect any sensitive data.
We have nominated a Data Protection Officer (DPO) to supervise our strategy and verify that our processes comply with the GDPR. You may address an enquiry to our DPO at anytime by contacting us at : email@example.com / phone +33 1 47 29 99 69.
We have put together an exhaustive list of personal data that we store along with details on the purpose of storage, nature of processing, categories of personnel who may access, duration of storage, etc.
Personal data are processed in a lawful, fair and transparent manner. This means that we inform our customers, partners and prospects regarding the personal data that we collect, and how we intend to use it.
We only collect personal data to achieve a specified, explicit and legitimate business purpose, which is shared with our clients, partners and prospects. For instance, we may collect your contact information in order to get in touch with you as part of your Visual Planning implementation project, to conduct satisfaction surveys, or to let you know about new product release.
We only collect and store relevant, appropriate data that are necessary to achieve the stated purpose: we only ask you for data that we need in order to be able to perform those actions.
Personal data needs to be accurate and up to date. You may ask us to correct or modify your personal data at any time, by contacting us at firstname.lastname@example.org / phone +33 1 47 29 99 69.
STORAGE LIMITATION & DELETION
You may request at any time that your personal data is deleted, by contacting us at email@example.com / phone +33 1 47 29 99 69. Your data is only stored for the duration needed to serve the purpose.
INTEGRITY AND CONFIDENTIALITY
We have implemented organizational and technical safeguards to protect the personal data that you share with us. For instance, we restrict access to the database in which your data is stored to a limited number of personnel, we control access to our offices, we perform regular back ups of all data (including data that is outside the scope of the GDPR), etc. We have also implemented a crisis management process that describes measures that we take to ensure that your data is secured, and steps that we will take if such safeguards shall be proven defective.
In order to further reinforce our commitment to process personal data in compliance with principles from the GDPR, we are publishing this document on our website, have put together a crisis management process, have updated our standard agreements and terms and conditions, and modified contact details forms on our website. All this information may be provided to you at any time.
AS A VISUAL PLANNING USER: ARE YOU GDPR READY?
If you are using Visual Planning to store personal data from your clients, suppliers, or staff (for instance, you are using Visual Planning for contact management, store customer listings, manage service calls, project management, etc.), the GDPR applies to you as a “data controller”. This may be the case even if you are located outside the EU, but collect data from EU individuals.
The European Commission has published guidelines, explanations and examples for businesses on the GDPR. Most European countries have issued resources, guidelines and recommendations on how to comply:
- A great 12-step PDF guide and full breakdown from the ICO in the UK
- A summary PDF from the Data Protection Commissioner in Ireland
- In France, CNIL’s 4 steps process to get started: https://www.cnil.fr/fr/rgpd-par-ou-commencer
Here are examples of steps that you may want to take to ensure compliance in your company:
1. Designate a Data Protection Officer (DPO) who will be in charge of supervising data privacy questions
2. Create a data processing registry:
a. Include a list of business activities that requires personal data to be processed
b. For each of those activities: assess what the final purpose is, which data are being collected, who is given access, and how long they need to be stored
3. Take the time to sort out existing data and confirm you only collect what is needed
4. Respect the rights of individuals
a. Inform them that you are collecting personal data
b. Make sure that they can easily exercise their rights
5. Secure your data by reviewing and implementing safeguards
In Visual Planning, here are simple best practices that you can follow:
– Make sure that you implement sufficient levels of security for passwords when accessing Visual Planning (you may customize the required complexity of user passwords in our Admin Center)
– Create a unique login for each user
– Obtain and track consent from your clients, suppliers, personnel… for their personal data to be stored in your planners (for instance, by creating specific headings in dimensions or forms to store consent)
– Ensure that you do not store personal data for individuals with which you have not perform any activity in several years: we recommend that you make use of filtering based on History options that exists in Visual Planning to identify such data.
– Review existing personal data headings for contacts, customers, suppliers, personnel… in your planner to make sure that they are all necessary for your business activity.
IF YOU HAVE QUESTIONS
Please feel free to reach out to us for any question related to the GDPR, or if you think you may need to modify an existing configuration of Visual Planning to comply.
By phone: Europe +33 (0)1 47 29 99 69 | United States +1 (855) 589-9800
By e-mail: firstname.lastname@example.org