The new European General Data Protection Regulation (GDPR) came into force from May 25th, 2018. Since the regulation was announced last year, SIPEXA AND SIPEXA FLOW have been working towards becoming GDPR compliant. For this purpose, we made a lot of changes to our processes related to data security and how we handle personal data.
Today, we are happy to announce that SIPEXA AND SIPEXA FLOW are GDPR compliant.
1. Identifying Internal Data Collection mechanisms and mapping it to Personal Data being collected.The first step we took towards GDPR was to identify and document all the channels and mechanisms we use to collect Personally Identifiable Data from EU Data Subjects. We mapped the type of personal data being collected to the channels for better identification.
2. Purpose limitation, Data minimisation and Storage limitationOnce we mapped the Personal Data with the data collection channels, we made sure controls are in place so that the collected data is processed only for the purpose it was collected. We also removed any personal data that was not business critical and defined how long stored this data.
3. Data Protection Impact AssessmentWe carried out Data protection impact assessments (DPIA) to help identify, assess and mitigate or minimise privacy risks with data processing activities.
4. Legal basis for Processing DataSIPEXA AND SIPEXA FLOW use Consent, Legitimate Interest and Contracts as a legal basis to process depending on the personal data we collect. We identified the legal basis and mapped itto personal data we collect.
SIPEXA AND SIPEXA FLOW use Consent, Legitimate Interest and Contracts as a legal basis to process depending on the personal data we collect. We identified the legal basis and mapped itto personal data we collect.
5. Individual RightsWe created our own internal process on how we respond and resolve requests from data subjects regarding individual rights. These rights include right to information, right to rectification, right to access, right to erasure, right to restrict processing, right to data portability, right to object or right not to subject to automated decision making including profiling.
6. SecurityWe conduct regular vulnerability tests and annual penetration testing as part of our audits. We make sure suitable security measures are in place to ensure the confidentiality, integrity, and availability of Information. We also use pseudonymisation through encryption and Hashing to make sure all personal data is protected. We are taking appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
7. Sub-processorsSIPEXA AND SIPEXA FLOW have signed agreements with Sub-processors instructing them how to process personal data and also ensuring they are GDPR compliant too.
We also created a Data Processing Agreement (DPA) , which regulates our responsibilities as a host, thus allowing our clients to have GDPR compliant sites themselves, if they need to. This document also describes how we communicate to the customers if there’s a breach and respond to requests from data subjects.
GDPR is not a one time effort. It’s a continuous process and we will be making sure we review our processes regularly to make sure we do not breach any obligations set forth by GDPR and also closely follow more updations to the regulation.
If your business processes the personal data of EU data subjects and you want to run that data through SIPEXA AND SIPEXA FLOW, we’ve got you covered.