The General Data Protections Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union. The GDPR came into force on May 25th, 2018 to give people more control over how their data is used by organizations.
Address System and GDPR
As we knew that GDPR was coming, we started our preparations in the first quarter of 2017. We’ve always had a robust and effective data protection program in place, however we recognized our obligations in expanding this program to meet the demands of GDPR. We have done a full audit of our IT infrastructure, processes, webhosting, HR and IT tools.
How we prepared for GDPR
Address System already had a very high level of data protection and security, however we wanted to be fully compliant with GDPR. As we understand that continuous employee awareness and understanding is vital to compliance with GDPR, we have involved our employees in our preparation plans from the start.
Our preparations included:
Information Systems Audit: we thoroughly audited and revised our data protection policies and procedures to meet the requirements and standards of GDPR.
Legal Basis for Processing: we have reviewed all processing activities to identify the legal basis for processing. We maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
Obtaining Consent: we have revised our consent mechanisms for obtaining personal data. So we can ensure that individuals can give us consent for processing their information in a clear and granular way. We have developed processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records.
Processor Agreements: we have Processor Agreements with our customers, as we process personal information on their behalf. Any third-party (supplier) that we may use to register personal information has been screened on their GDPR compliance.
Hosting: Address System hosting infrastructure is hosted in external datacenters located in Belgium. Address System has selected an European ISO 27001 (data security) certified hosting provider.
Data Breaches: our data breach procedure ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach.
Data Retention & Erasure: we have updated our data backup procedures to ensure that we meet the ‘data minimization’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed in a GDPR compliant way.
Data Protection: Accountability and governance measures are in place to ensure that we fulfill our obligations and responsibilities.
Information Security & Technical and Organizational Measures
Address System takes the privacy and security of individuals and their personal information very seriously.
To demonstrate this, we have several layers of security measures:
• Our local datacenter is physically secured and only authorized personnel has access.
• Our Internet-based resources (website, service platforms) use SSL encryption.
• The service platforms use 2-step authentication.
• Address System offices are physically secured and have burglar alarm systems.
• Employee’s PCs are encrypted and require USB security keys as physical device for authentication.
• Passwords management system is fully encrypted.
• Platforms are monitored 24/7 to detect possible intrusion.
Address System is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection.
We will continue to work on data privacy and integrity on an on-going basis.
We are also preparing for the new EU ePrivacy regulation, which will probably be implemented in 2019.