As the Internet evolves - so do the policies that govern the way we store and share information. One of the latest policies to come into effect is The General Data Protection Regulation. This policy, also known as GDPR, comes out of the European Union and its goal is to protect certain types of personal information.
What is the GDPR?
The European Union's General Data Protection Regulation, or GDPR, is a regulation that came into effect May 25, 2018. The GDPR regulates the collection, processing, transport, and use of personal information about individuals in Europe.
Where can I get more information about the GDPR and my compliance obligations?
A good place to start is on the ICO's Guide to the GDPR. Cultrix does not provide consulting services on the GDPR but we can recommend a partner that can help. If you would like more information please contact us. Where we can help is if a consultant identifies areas in your IT and/or website that may need changing as part of your compliance.
The main thing to note is that the GDPR is not just about your IT or your website. It covers all personal data you handle as part of providing a service, internally under your HR obligations, for your marketing, or for any other purpose - it doesn't matter if that's electronic, paperwork on your desk, or data that's transferred verbally.
Why does the GDPR apply to Cultrix?
GDPR applies to Cultrix because we have both direct and indirect European customers, staff, and partners whose personal information may be collected or processed by us, or on our behalf. It may also apply to companies who provide services to us to the extent we provide this data to them.
As a managed services company, Cultrix also has access to systems that may contain personal information that our customers collect or process on behalf of their customers.
It is our belief that data security is important no matter whether it is personal data or business data and for that reason we are going beyond the requirements of the GDPR and applying the same policies and security to all data we handle regardless of its classification.
How does Cultrix comply with the GDPR?
Cultrix completed a data mapping exercise designed to identify how we collect, handle, and transfer European personal information that is subject to the GDPR. We determined that:
- We collect and process "sensitive" data subject to the GDPR
- We collect and process other personal information subject to the GDPR
- We store personal information subject to the GDPR for set periods of time
- Third-parties may also process personal information subject to the GDPR on our behalf
- Data subject to the GDPR that is stored by us may be stored outside of Europe
To facilitate the GDPR compliance we strengthened our data segregation and access policies, our breach response plan, and relationships with third-parties who may handle data on our behalf, or on behalf of our customers.
- provides detailed information about the types of data we collect or process;
- includes the reasons for that collection or processing;
- sets out the length of time we store the data;
- explains how you can access, rectify or erase your data;
- explains how you can obtain a copy of, move, or transfer your data;
- provides a detailed list of the systems we use and how we ensure they are secure;
- provides a detailed list of the third-parties we use and how we monitor their compliance;
- explains how you can restrict processing of your data;
- details how your data is processed and, if applicable, how it is profiled.
We are also working towards ISO 27001 which further demonstrates our commitment to data security, although this is likely to be achieved after the GDPR deadline. We are also Cyber Essentials certified; view our Cyber Essentials certificate.
How does Cultrix facilitate compliance with the GDPR?
Cultrix provides a wide range of IT services, some of which will help our customers working towards their own compliance with the GDPR and maintaining that compliance beyond the deadline. Because every customer's determination about what is required to become compliant is unique, there isn't a set way that our products and services create compliance with GDPR, or any other law or regulation. Along with these pages, we have compiled a list of services we provide that may help with your own GDPR compliance.