The General Data Protection Regulation (GDPR) provides new, consistent standards across the EU to protect the rights of EU citizens regarding how their personal data is being used. It goes into effect on May 25, 2018 and applies to any company that uses personal data from EU citizens.
We are committed to privacy and security and will be ready for the GDPR before May 25, 2018. Here we’ll provide a quick overview of GDPR and share what we’re doing to prepare.
Replacing the existing EU privacy directive 95/46/EC, which has been in place for over 20 years, the GDPR strengthens and expands the privacy rights of individuals in an era in which much of life takes place online. The GDPR is extensive, affecting not just businesses based in the EU but also any company that processes the personal data of EU citizens.
The Data Protection Principles set forth in the GDPR include requirements like the following:
- Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
- Personal data should only be collected to fulfill a specific purpose and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.
- Personal data should be held no longer than necessary to fulfill its purpose.
- People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.
We’d encourage you to read the text in full as well as to consult with your legal counsel for the most complete understanding of the GDPR.
What is GovSpend Doing to Prepare for GDPR?
Here is an overview of what we’ve been doing so far.
Data Processing Agreement
Security and Data Management
GovSpend already employs strict policies and procedures around security and data management. Additionally, we have designated an internal team and engaged outside expertise to enhance security standards that protect our customer’s data and follow GDPR requirements.
- We are appointing a Data Protection Officer to ensure ongoing GDPR compliance.
- We are putting processes in place so that in the unlikely event of a data breach we ensure prompt notifications to customers and GDPR authorities as required.
- We are formalizing and documenting our internal policies related to data security.
- We are putting safeguards in place to ensure secure and proper handling of data stored outside of the EU as required.
Existing Product Capabilities
GovSpend already enables compliance with requirements regarding the right of data rectification and the right to be forgotten:
- Right to rectify user data: GDPR gives individuals the right to rectify any inaccurate or incomplete personal data. Data obtained from a GovSpend user may be modified or corrected directly by the user in most cases, or via request to email@example.com.
- Right to be forgotten: With respect to EU individuals’ data in our system that comes from public records requests, we will remove such data upon legitimate request to firstname.lastname@example.org. We ensure that any associated user data and historical data are quickly and permanently deleted from our data stores.
- Accountability: GovSpend has role-based permissions, supports encryption at rest of all associated account data, and many data management tools.
We fully support the GDPR and think it’s a good thing to treat customers and their data with care and respect. Our mission is to help companies like yours safely and efficiently use data and information.
If you have any questions or concerns regarding GDPR and GovSpend, please send us a detailed message to email@example.com.
Last Updated: April 3, 2018