ANGLO-SUISSE CAPITAL'S GDPR COMMITMENT
On May 25th, 2018, the European Union’s (EU) new data protection framework, the General Data Protection Regulation (GDPR), will come into effect. It is the most significant piece of data protection legislation to date and will impact any organization that processes personal data in connection with goods/services offered to an EU resident, or monitors the behavior of persons within the EU. The GDPR strengthens individuals’ privacy rights through tighter limits processing of their personal data, significantly expanding their rights over their data, and providing increased transparency into the nature, purpose, and use of it.
DATA PROTECTION AND GDPR COMPLIANCE
As an enthusiastic advocate of the power and customer-centricity of the engagement economy, Anglo-Suisse Capital understands the importance of putting privacy and data protection in the hands of the data subject. As with other data protection laws, GDPR compliance requires commitment from both Anglo-Suisse Capital and our customers. Anglo-Suisse Capital has been in compliance with the GDPR since May 25th, 2018 and Anglo-Suisse Capital’s services already include the functionality necessary for our customers to comply with the GDPR’s consent requirement. We have carefully examined the relevant provisions of the GDPR and we are closely tracking applicable GDPR guidance issued by regulatory authorities. These steps are helping us to develop tools for our customers relevant to GDPR-compliant use of Anglo-Suisse Capital’s services.
GDPR OVERVIEW
As a regulation instead of a directive, the GDPR becomes enforceable as law in all EU member states simultaneously on this date and replaces the separate member state implementations of data protection law, streamlining compliance by providing a single set of principles to follow.
The scope of this new regulation encompasses all organisations that process the personal data of EU residents or monitor individuals’ behaviours conducted within the EU, regardless of the entity’s location. The terms processing and personal data are defined broadly: processing involves “any operation or set of operations which is performed on personal data” and personal data means “any information relating to an identified or identifiable natural person (‘data subject’).” The GDPR outlines different requirements for Controllers (entities who determine the purposes and means of the processing of personal data) and Processors (entities who process personal data as directed by a Controller).
Key GDPR Compliance Requirements
The GDPR has changed the way organisations collect data, as well as how they obtain, document, and manage the legal basis for processing. Below is an overview of some of the key GDPR requirements.
Data Protection by Design and Default
Controllers and Processors must incorporate data protection into new products and services that involve processing of personal data (Design) and consider data protection issues in all business decisions (Default).
Lawfulness of Processing
Processing must be based on consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects.
Conditions for Consent
Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action.
Security of Processing
Controllers and Processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Data Subject Rights & Information
Controllers shall provide the information outlined in Articles 13 & 14 to Data Subjects and Data Subjects may access, correct, delete, restrict processing of, and transfer their personal data, as well as object to automated decision-making based on their personal data.
Data Inventory
Controllers and Processors must create centralised repositories containing records of processing activities carried out on personal data.
Data Protection Impact Assessments
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, prior to processing Controllers must carry out assessments of the impact of the envisaged processing operations on the protection of personal data.
Data Protection Officer
Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or large scale processing of special categories of data must appoint a Data Protection Officer.
Controller-Processor Relationships
Controller and Processor relationships must be governed by binding contracts that set the terms of the processing to be performed and provide Controllers the right to object to Sub-Processors engaged by the Processors.
Data Breach Reporting
In the event of a breach involving personal data, the Controller shall, where feasible, notify the relevant Supervisory Authority within 72 hours after becoming aware of it and, if there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects without undue delay.
Consent Under the GDPR
Anglo-Suisse Capital marketing activities will merit using consent as the legal basis for processing personal data.
GDPR defines consent as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” -Art. 4(11)
GDPR Article 7, Conditions for Consent, requires that requests for consent be clearly distinguishable from other matters using clear and plain language, that the data subject has the right to withdraw consent at any time, and that consent is not freely given if the performance of a contract (including the provisioning of a service) is conditional on consent to processing personal data not necessary for the performance of said contract. Articles 13 and 14 outline the information to be provided to data subjects at the time of data collection.
Accountability Under the GDPR
One of the most significant requirements under the GDPR is the accountability principle. GDPR Article 24 requires Controllers to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance” with the GDPR.
Anglo-Suisse Capital offers a number of features and functions that demonstrate compliance with the GDPR principles, such as:
- Role Based Permissions
- Audit Trail
- Encryption at Rest
- Data Management
Helpful GDPR Resources
Below are links to some GDPR resources which we will continue to update as relevant regulatory authorities issue additional guidelines.
https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
http://www.eugdpr.org/gdpr-faqs.html
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf
While the content on this page is designed to help organisations understand the GDPR in connection with Anglo-Suisse Capital’s services, the information contained herein may not be construed as legal advice and organisations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR and the use of a company’s products and services to process personal data.