First things first. Here are the most important facts on GDPR
The European Union General Data Protection Regulation (GDPR) is a set of rules about how companies should process the personal data of data subjects. GDPR lays out responsibilities for organisations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organisation is not complying with GDPR requirements.
Here are some of the basic facts about GDPR (General Data Protection Regulation) that are important to know:
- The law was adopted in 2016 and will become enforceable in May 2018
It updates and replaces Directive 95/46/EC (the 1995 Data Protection Directive) and strengthens rights of the data subjects while at the same time facilitating free flow of data
- Applies to organisations that perform data processing of private data on the territory of the EU but also those outside of it that operate with private data of EU citizens
- Infringement fines reach up to 4% of annual revenue
- GDPR sets out a set of key requirementsLawful, fair and transparent processing
- Limitation of purpose, data and storage
- Data subject rights
- Personal data breaches
- Privacy by Design
- Data Protection Impact Assessment
- Data transfers
Understanding GDPR requirements can sometimes be a daunting task. In this blog I want to highlight the AskCody approach to GDPR and our commitment to ensure the privacy of your data.
Let’s start high before talking GDPR: Your data must be suitably protected
Information and data are assets that, like other important business assets, is essential to the AskCody business and consequently needs to be suitably protected.
This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information and data is now exposed to a growing number and a wider variety of threats and vulnerabilities.
To ensure that data is correctly and suitably protected, Information Security policies and frameworks must be implemented.
Information Security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures, software and hardware. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of AskCody and our trusted clients are met.
Information Security has the preservation of the:
- Confidentiality of information that the information is only available to authorized individuals, entities, or processes and only used for authorized and legitimate purposes
- Integrity of information that the information is accurate and complete
- Availability of information that the information is accessible and usable upon business demand
Other quality aspects such as authenticity, accountability, non-repudiation, traceability and reliability can also be involved.
Defining, achieving, maintaining, and improving Information Security is therefore essential to ensure the confidentiality and integrity of information, the availability of information, and business processes, protecting our most valuable information assets and clients/user’s valuable information, while be trusted by customers, suppliers, partners and co-workers.
Also, it is important that regulatory and legal compliance is ensured, especially with the forthcoming GDPR. More about that later on.
The AskCody approach to Information and Data Security
Openness, honesty and trust are important aspects of the AskCody culture.
However, we need to have a clear point of view on how to manage information, process data, and approach situations that may be perceived as a conflict of interest.
At AskCody we take our values into account before implementing Information Security rules and measures:
AskCody strives to make Information Security measures simple, for the many and with user friendliness in mind
- Simplicity supports AskCody co-workers to take responsibility and behave in a risk aware way creating a security culture together.
- Cost consciousness is about protecting information at the correct level, with risk and cost in balance
It is the responsibility of all co-workers within AskCody to understand and work according to the AskCody Information Security Policy and Rules, and our Data Processing Agreements made with our clients.
It is very important to have this support, from the entire organization, when encountering conflict of interest issues. Especially when the information and data is not AskCody information, such as customer’s or business partner’s information which needs to be handled with appropriate care and to comply with legal standards.
The AskCody Information Security Policy and Rules have been developed in order to give advice and support for how to protect the AskCody business and the information environment, to protect your data and information. The Rules are necessary in order to run a reliable operation, to guarantee the availability of business processes and information from IT systems, and the correct processing of information.
So, why is all this information needed?
It’s important because I want to update you on two important documents:
1: Our Information Security Policy
2: Our Data Processing Agreements
1) AskCody Policy on Information Security
Information is an important business asset for AskCody and needs to be suitably protected. A risk and cost-effective balance is made between the level of Information Security measures and the information’s value to AskCody, considering both internal and external demands.
In this document, our Cloud & Information Security FAQ, we have gathered and collected the most frequently asked questions about our Information Security, how we guarantee the right level of protection, reliability, availability, privacy and confidentiality.
The rules in this document are connected to the AskCody Policy on Information Security which provides the below AskCody standpoint on Information Security.
AskCody Information Security Policy and Rules contain the basic requirements for Information Security. The use of Information Systems is an important link in operational management and the realization of business goals.
Information Security and IT Controls are therefore an essential part of Corporate Governance. In addition, these requirements are also demanded by External Auditors in order to rely on Information Systems for the annual financial statement of AskCody.
The AskCody Information Security Policy and Rules are based on:
- Generally accepted standards as the Information Security standard ISO 27002 and ISAE 3000 (ISAE 3000 is the standard for assurance over non-financial information. ISAE 3000 is issued by the International Federation of Accountants (IFAC). The standard consists of guidelines for the ethical behavior, quality management and performance of an ISAE 3000 engagement)
- Data protection laws and GDPR.
The Cloud & Information Security FAQ can be downloaded here.
2) Compliance with GDPR and Data Processing Agreements
Privacy is a continuous mind-set, not a one-time hurdle.
At AskCody we did not wait for GDPR to commit to privacy. It has always been an integral part of our offering. Since January 1st 2017 we started to implement our new Information Security Policy based on ISO 27002 and now certified with ISAE 3000 (Report can be received upon request). ISAE 3000 is the international standard for conducting audits to assess processes and systems. That means we operates in accordance with ISAE 3000 guidelines and can demonstrate in a control statement that our organisation’s internal management processes are conducted in accordance with the specifications set out in our Information Security Policy.
These are the steps we are taking regarding GDPR compliance
Sizeable fines alone are reason enough to take GDPR seriously. But really, it’s about a long-term commitment to protecting private data, not only of EU citizens, but for all AskCody users globally. Getting aligned to that as a company is important to us.
Since January 1st 2017 we have therefore been on a journey towards GDPR. Here’s where we are:
- Setting up an internal team dedicated to GDPR. Our team consists of our CEO, Head of Operations, Head of Product and Head of Development, supported by our legal counsellor) - DONE
- Hiring a legal counsel – DONE
- Reviewing our process and products based on ISO 27002 – DONE
- Implementing internal control environment for use by management of the service organisations, user entities and/or their auditors - DONE
- Go through assurance engagements undertaken by a third party auditor to provide an independent report on the user entities - DONE
- Receive Independent Auditor’s ISAE 3000 Report on the relevant Controls and Design to comply with the Danish Act on Processing of Personal Data and GDPR - DONE
- Hosting within the EU (For EU clients on Microsoft Azure. Psst… We’ve done that from the very beginning) - DONE
- Adapting our legal texts (terms and conditions, DPA to reflect GDPR) - DONE
- Appointing a ISO (Information Security Officer – He’s always up for a chat, so shoot him an email if you have any questions) - DONE
- Defining a data breach notification process as set out in our DPA - DONE
- Updated our Terms and Conditions in regard to GDPR - DONE
- Developing missing features and adapting our product roadmap (Roll outs have already begun. The latest updates will apply Q2 2018) - IN PROGRESS
Due to GDPR, which enters into force on the 25th May 2018, we must provide you with a Data Processing Agreements that clearly defines how AskCody as Data Processer, acts as the processor of Personal Data, where you remain the controller of Personal Data.
That's why we have updated our Data Processing Agreements to reflect our agreement with respect to the terms governing the processing of Personal Data under the AskCody Terms of Service as stated in ”Service Level Agreement and Terms & Conditions” (”SLA”) which were entered by subscribing to the AskCody Services.
This DPA will form part of the Main Contract, in cases where a Main Contract is made, or as amendment to the SLA and Terms & Condition by and between AskCody Group (“AskCody”) and you, entered by subscribing to the AskCody SaaS Solution (Including subscribing by ordering the service through a partner, through a link or via an online order form, and made available online, via the applicable subscriber login link and other web pages designated AskCody), and set forth the terms and conditions pursuant to which the Personal Data will be Processed by AskCody as Data Processer going forward.
For any question regarding compliance with GPDR, Data Processing Agreements or Information Security Policies, please don't hesitate to contact our Security Officer Rune Spliid -firstname.lastname@example.org
This updated Data Processing Agreement will only work as an amendment to the ”Service Level Agreement and Terms & Conditions in cases where another Data Processing Agreement is not in place between you and AskCody. If a Data Processing Agreement is already part of a Main Contract, this DPA will continue.
GDPR is knocking at the door. To be honest, we’re looking forward to it!