The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data. FL3XX is well aware of its role in providing the right tools and processes to support its users and customers meet their GDPR mandates.
At FL3XX, we have always honored our customers’ right to data privacy and protection. As a B2B
provider we have no necessity to collect and process users' personal information beyond what is
required for the functioning of our products, and the needs of our customers.
Over the years, we have demonstrated our commitment to data privacy and protection. We already have strong Data Processing Agreements, and we are revising them to meet the requirements of the GDPR. FL3XX recognizes that the GDPR will help us move towards the highest standards of operations in protecting customer data.
How is FL3XX preparing for GDPR?
FL3XX is GDPR compliant as of October 2017. As a data processor, FL3XX understands its obligation to help customers get ready for the big day. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal process to drive our organization to meet them. Some of our ongoing initiatives are:
- Identifying personal data - Our application undertakes different levels of personal data collection, usage, storage and disposal. Defining the purview of personal data for each of these applications and documenting the various sources of data provided a roadmap for compliance.
- Providing visibility and transparency - The most important aspect of GDPR is how the collected data is used. As a data processor, FL3XX’s key role is to provide our customers (the data controllers) with the access to effectively manage and protect their user data. FL3XX is exploring ways to make optimal product enhancements without compromising on performance so that we can provide better transparency to our customers.
- Enhancing data integrity and security - Data privacy and data security are two sides of the same coin. As our customers tighten their data security measures, FL3XX would like to extend a helping hand. We're streamlining the processes for our cloud applications by implementing IT policies and procedures that provide end-to-end security
- Portability and transferability of data - GDPR gives end users the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. With this new right in mind, FL3XX is working on further enhancing its data exporting capabilities to enable export even at the individual level.
What does this mean for our customers?
We understand that meeting the GDPR requirements will take a lot of time and effort. And as your partner, we want to help you make your process as seamless as possible, so that you don't have to worry about compliance and can focus more on running your business. Some of our product enhancements are about to make it easier for you to:
- Provide access controls
- Encrypt, anonymize or delete user data
- Create provisions for data subjects rights
- Enhance security for user data
What should you do to be GDPR-ready?
If you are just getting started with GDPR compliance in your organization, here's a quick to-do list to keep in mind.
- Create a data privacy team to oversee GDPR activities and raise awareness
- Review current security and privacy processes in place & where applicable, revise your contracts with third parties & customers to meet the requirements of the GDPR
- Identify the Personally Identifiable Information (PII)/Personal data that is being collected
- Analyze how this information is being processed, stored, retained and deleted
- Assess the third parties with whom you disclose data
- Establish procedures to respond to data subjects when they exercise their rights
- Establish & conduct Privacy Impact Assessment (PIA)
- Create processes for data breach notification activities
- Continuous employee awareness is vital to ensure continual compliance to the GDPR
LEARN MORE ABOUT GDPR
What is GDPR?
EU's General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents' personal data.
How does it apply?
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
Where does the GDPR apply?
This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
What are the penalties for non-compliance?
A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).
Who are the key stakeholders?
Data subject - A natural person residing in the EU who is the subject of the data
Data controller - Determines the purpose and means of processing the data
Data processor - Processes data on the instructions of the controller
Supervisory authorities - Public authorities who monitor the application of the regulation
What is personal data or Personally Identifiable Information (PII)?
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
What are the key changes from the previous regulations?
New & enhanced rights for data subjects - This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
- Explicit consent : Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
- Right to access : At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
- Right to be forgotten : The data subject can request the controller to remove their personal information from the controller's systems.
- Data portability : The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
- Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
- Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
- Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
- Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Where is my data located?
The data of European FL3XX customers will reside in our EU data centers; the data of US FL3XX customers will reside in our US data centers.