The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU). This is enforceable from May 25 2018 and requires no enabling legislation so automatically becomes binding and applicable on that date.
The GDPR imposes new obligations on organisations that control or process relevant personal data and introduces new rights and protections for EU data subjects.
The GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals of the EU.
As an organisation operating in the Digital Technology space The Digital Embassy is committed to maintaining high standards of data protection, information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards and helping our clients using technology to do the same.
By doing so we will safeguard the personal information under our remit and develop a robust data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation of the GDPR.
The Digital Embassy will be complying with the GDPR as a processor and controller of data and the company has been planning and developing a project of works that will deliver what is required by this regulation.
- We will process all personal data fairly and lawfully.
- We will only process personal data for specified and lawful purposes.
- We will endeavour to hold relevant and accurate personal data, and where practical, we will keep this up to date.
- We will not retain personal data for longer than is necessary.
- We will comply with requests to remove data or the right to be forgotten.
- We will comply with requests to pause data usage.
- We will keep all personal data secure.
- We will endeavour to ensure that if personal data is transferred to countries outside of the European Economic Area (‘EEA’) they must be compliant with GDPR and contain adequate protection. Data will not be transferred outside of Australia without your consent.
Our actions include but are not restricted to:
- Customer Contracts - variation notices will be issued to our managed service and support customers to address GDPR compliance within these agreements.
- Information Audit – we have undertaken a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed.
- Technology - we have reviewed our technology platforms to analyse their operation, security, compliance to make sure these meet the requirements of the GDPR
- Training & Awareness - we have undertaken training across our organisation, on the GDPR, its impact on our processes and responsibilities of our staff. Our staff Induction process has been updated to include GDPR.
- Staffing Contracts - our employee contract, HR policies and sub-contractor agreement have been revised to clarify the expected standards and actions of our people which reflects The Digital Embassy’s obligation to demonstrate GDPR compliance as a data processor and data controller.
- Continuous Process Quality Standards - we are committed to build on our existing security and data protection practices.
- Supplier & Partner relationships: where relevant and related, we will be making all reasonable endeavours to ensure that our third party providers and suppliers are complying with the GDPR.
- Data Breaches – we have implemented breach procedures that ensure we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possibility.
The Digital Embassy Responsibilities as a Data Processor
As a digital project or strategy consultancy and support provider it is often necessary for us to remotely connect to our customers digital environment. This may include, but is not limited to, a remote session that would enable us to fix a user reported problem, apply a customisation to your database, configure a new process, build a new report or import a data list.
In these instances, The Digital Embassy will be complying with the GDPR as a data processor and we will be processing data to fulfil our contractual responsibilities.
To meet the requirements of the GDPR, when we process the personal data that is controlled by our customers we have in place a number of systems, processes, products and services to safeguard data to meet these demands.
In undertaking these engagements The Digital Embassy shall offer the following commitments:
- Data Entry & Deletion - we will not delete personal data that is currently stored on your system. In any instances that we receive personal data from you, for example as a spreadsheet to import into your database, the source file containing this personal data shall be deleted once the requirement is completed.
- System Changes - if you require our team to make any changes to your system that will affect the personal data under your control, this process will need to be formally approved by you.
- Direct System Access - This will involve a member of our team directly accessing your system from our computers. As stated above, this will be subject to our normal change control process and when logging into a customer system. The Digital Embassy shall only use a delegated administrator account or a specific login that is specific to The Digital Embassy. Where possible (depending on your Digital Asset CRM capabilities) this will enable our actions to be tracked and audited.
The Digital Embassy team will continue to monitor this project through May 2018 and beyond. We will continually look at ways of improving our systems and procedures to better comply with GDPR best practice.