Introduction – GDPR
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. So, EU residents will now have better control over their personal data, and how it is used, both in EU and outside.
Orcanos and GDPR Compliance
Orcanos respects our users’ data privacy and protection. Orcanos has never used users’ data for advertising or as a revenue stream, or presented ads, and we never will, not for paying customers or on free trials. This means that Orcanos have no necessity to collect and process users’ personal information beyond what is required for the functioning of our products.
Orcanos follows GDPR guidelines across all of its applications, to include, among others:
- Compliance team – Create a dedicated team and system alerts to track Data privacy, data security, and specific GDPR related activities
- Personal data identification – Defining the personal data for each of Orcanos processes and applications, documenting the various sources of data, and make sure they are protected (encryption, Access control)
- Personal data visibility – An important aspect of GDPR is how personal data is used. Orcanos does not allow to use of any of the personal data or expose it in any way outside its software applications, weather its the Orcanos system, the CRM system or the accounting system
- Data security – Orcanos is implementing IT policies and procedures that provide end-to-end security, and follows best practice of ISO 27001. See Orcanos Security Center; See ISO27001
- Transferring data – Control how personal data is exported. Orcanos database is not available outside Orcanos servers. It is encrypted in rest, and backups are encrypted and remain in their zones, means, data is not transferred from EU to US and vice versa
- Periodic Reviews – of security and privacy processes, contracts with third parties & customers
- Identification – Identify the Personally Identifiable Information (PII)/Personal data that is being collected, and analyze how this information is being processed, stored, retained and deleted
- Third parties – Assess the third parties Orcanos works with
- Mitigation procedures – Orcanos will establish procedures to handle cases where GDPR breach occurs
- PIA – Establish & conduct Privacy Impact Assessment (PIA)
GDPR controls
Complying with GDPR requirements can take long time and efforts. Orcanos implements controls to allow better protection of user data:
- Access control policy
- Encrypt, or delete user data
- Enhance security for user data
More information about GDPR
Terms and requirements
- Data subject – A natural person residing in the EU who is the subject of the data
- Data controller – Determines the purpose and means of processing the data
- Data processor – Processes data on the instructions of the controller
- Supervisory authorities – Public authorities who monitor the application of the regulation
- Personal data – data which relate to a living individual who can be identified. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
- PII – Personal Identifiable Information – this is personal data
- Explicit consent – Data subjects must be informed about how their personal data will be processed in. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
- Right to access – At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
- Right to be forgotten – The data subject can request the controller to remove their personal information from the controller’s systems.
- Right to be informed
- Right to access
- Right to rectification
- Right to restrict processing
- Data portability – The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
- Data Protection Officer – Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
- Privacy Impact Assessments (PIA) – Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
- Breach notification – Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Who does GDPR applies to
GDPR applies to any organization that works with the personal data of EU residents.
This law doesn’t have territorial boundaries. Once organization processes personal data of subjects of the EU, it comes under the jurisdiction of the law.