Key changes under the GDPR will affect almost all business. The new rules will come into effect on May 25th, 2018, and all businesses need to assess what they need to do in order to comply. We are counting down to GDPR-day and will show you the key steps we took to become GDPR compliant.The essentials of GDPR secured
The GDPR stands for General Data Protection Regulation and is a regulation in EU law on data protection and privacy for all individuals within the European Union.
We can define three roles:
- Data Subject: the natural person about whom the data is stored;
- Data Controllers: the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- Data Processors: the natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
In this case, Sqills acts as data processor of personal data that is being processed within S3 Passenger. The S3 Passenger customer (a rail or bus operator) is the Data Controller.GDPR compliance is key to Sqills
The GDPR introduces several changes in data protection laws to the current situation. The most important rules to comply to the GDPR are:
- When data about a person needs to be saved, that person needs to agree (explicit) with their data being saved.
- Data controllers need to show which data about a person will be saved and to what reason.
- Data controllers need to let a person know if their personal data is being shared with third parties.
- Sqills needs to protect personal data against leaks and abuse.
- Sqills needs to sign data processing agreements with the data controller in which is stated how personal data is going to be protected.
- Sqills and the Data controllers are responsible for the personal data that is being saved and handled. Sqills needs to control if the data controllers are compliant to the data processing agreement too.
- Every person of whom personal data is being saved, has the following rights: Right to see the data, to be forgotten, to have the data being updated, to have the data being moved to another processor, to object to processing their personal data.
- In case of a data breach, Sqills needs to report this to the authorities.
Based on the fact that Sqills is processing personal data on a large scale on a daily basis, a Data Protection Officer (DPO) is appointed. Inge van Gisbergen, DPO and Team lead within Sqills, comments: “We have analysed the requirements and obligations of the regulation with regards to our S3 Passenger system. This has resulted in a list of planned actions and developments, which have been audited by TÜV resulting in our ISO 27001 certificate. My task in this is to inform and advice Sqills, its employees and customers. Besides that, I monitor compliance with the regulation, ISO 27001 standards and act as the contact point.”
In future articles, we’ll be addressing related topics like Data Breaches, Privacy by design and default, Destruction or restitution of data, and how we prepared to support our clients with GDPR addressing personal data security, data hosting, subject data access rights, internal processes and increased transparency.