The EU General Data Protection Regulation 2016/679 (“GDPR”) is the regulation focused on legal and security requirements intended to strengthen and unify data protection for European Union (“EU”) citizens.
The GDPR was adopted by the European Parliament in April 2016 and becomes effective on May 25, 2018, replacing the current EU Data Protection Directive 95/46/EC and the 28 national data protection laws
Under the GDPR any company in the world processing EU citizens personal data will be required to explain why and since when their personal data have been collected, what the retention period is and how they are protected from unauthorized access. Companies must be able to explain if other companies are engaged in the handling of the personal data and for what purpose (e.g.: CRM or marketing platforms).
The key changes that come into effect are:
– Expanded rights for individuals: amongst them, the right to have their data deleted, the right to object and the right to request a copy of any personal data stored.
– Compliance obligations: organizations must implement policies, conduct privacy impact assessment, ensure privacy by design and make sure that their providers understand and comply with the requirements.-
– Data breach notification: organizations shall notify the authorities and the individuals in case of certain data breaches.
– Enforcement: authorities can fine organizations up to 20 million € or 4% of the company’s annual global revenue, whichever is higher.
Since its founding, EcoVadis has committed to maintaining effective business processes and supporting them with the most demanding security practices. This commitment is confirmed by the ISO 27001:2013 certification of our Information Security Management System (ISMS) conducted by PwC Certification B.V.
Ecovadis uses the ISO 27001 standard as a framework and integrates data protection in its ISMS wherever possible. Specifically for the GDPR and being a data controller, we have put in place actions to be compliant well before the deadline.
Here’s a summary of the actions we have taken on our compliance journey:
– Assigned a Data Protection Officer to ensure the governance of personal data in the company and monitor overall compliance
– Raised data protection awareness of all employees and provided training on GDPR
– Ensure breach notification in case of high risk to data subject’s rights and freedom.
– Updated the data processing register with mandatory information. We have inventoried all systems that process and store personal data.
– Taken into account data protection in the design phase our services and products (privacy by design) and prepared Privacy Impact Assessments for high-risk processing. Data protection is an integral part of information systems specification across the entire product lifecycle.
– Updated legal notices with mandatory information and inform individuals about the specific data processing and their data protection rights.
– Reviewed all current Ecovadis providers that process personal data and communicate to them additional data protection clauses to formalize their commitment to implement appropriate technical and organizational measures to meet the GDPR requirements (ongoing)
– Improved the selection process of new providers by including their information security and data protection measures
– Ensured the legal framework for the transfer of data outside the EU through contractual clauses with our subsidiaries and the renewal of our registration for privacy shield for the transfer of data from the EU to the US
– Use hosting providers that comply with the best data protection practices
We have already performed an independent compliance audit of our data protection practices and it confirms our maturity level.