AssurX GDPR Compliance: Benefits and Lessons Learned
As a company dedicated to developing solutions for quality management and compliance, AssurX QMS Software approached the extensive scope of GDPR compliance with the expertise to identify, document and remediate any process issues where data privacy is a concern.
Proposed in 2012 and now in effect, the General Data Protection Regulation (GDPR) is the newest landmark of data protection legislation. GDPR compliance legislation is designed to better protect personal data of individuals in the European Union (EU) by making companies more accountable...
Proposed in 2012 and now in effect, the General Data Protection Regulation (GDPR) is the newest landmark of data protection legislation. GDPR compliance legislation is designed to better protect personal data of individuals in the European Union (EU) by making companies more accountable for how they collect, use, share and store data. Fines for non-compliance can reach up to €20 million, or 4% of the worldwide annual revenue of the prior financial year.
Set Up for Success
Furthermore, because AssurX uses automation to track and trace all policies that govern the capture and sharing of data, the actual practice of mapping privacy controls was largely in place. The role of Data Protection Officer (DPO) was assumed by the company’s Director of Compliance. Having just passed a HIPAA compliance audit and attestation, AssurX was well-versed on how to approach GDPR privacy assessments to identify the potential impacts of breach or misuse of private information.
Data Protection Beyond IT
In addition, the GDPR requires careful attention to valid consent or informed consent. Individuals in the EU have more power over how their information is being used. For example, a person can request to be “forgotten,” which means their information can never be used again for any purpose. Therefore, controls must be put in place to enable any person from the EU to determine what data can be collected and processed.
As a result, all data processing agreements (DPAs) in place with suppliers, customers and contractors were reviewed and updated. GDPR readiness resulted in a dual end-game; enacting practices to meet GDPR compliance, and reinforcing a bi-directional commitment to compliance.
GDPR readiness became a litmus test of AssurX’s existing data protection and supplier management framework. Auditing the collection, security, processing and retention of information from a holistic perspective strengthened the control of all data that would be covered under GDPR and information privacy in general.
“A significant practice during GDPR readiness was the thorough evaluation of agreements with our suppliers and assessing what risks may or may not exist,” explained Tamar June, President and CEO of AssurX. “It helped bring us into compliance by reviewing and refreshing our requirements for current and future agreements. This helped identify additional strengths as well as opportunities to improve our business and service to our customers.”
GDPR Compliance Best Practices
- Train all employees: Provide GDPR compliance training for all employees to the extent it impacts their role. Use the opportunity to reinforce company-wide security practices (e.g. mobile device security). Empower employees to report concerns.
- Inform customers: Let your EU customers know that you are committed to the GDPR and be responsive to inquiries.
- Have a single point of contact: Your Data Protection Officer (DPO) should be the single point of contact for all GDPR compliance inquires. Taking too long or failing to address a possible compliance issue could end up triggering a report.
- Ensure change control is in place: Prior to process changes in your marketing and other various processes, including software development, be sure to assess for any impact in relation to GDPR requirements.
- Review your assessments periodically: On a pre-scheduled basis, review your GDPR compliance assessments to identify any gaps or vulnerabilities.
- Audit your processes frequently: Pre-schedule audits to validate that there have been no undocumented or unapproved changes (e.g. unsanctioned marketing software or out of date DPAs).
Being GDPR compliant is not as simple as making sure you have good network security in place. GDPR compliance is a deep dive into every system that processes personal data to improve privacy governance practices and commitment to compliance.
Published by AssurX Inc. on Jul 03, 2018
T: (408) 778-1376
18525 Sutter Blvd., Morgan Hill, CA, 95037, United States