Introduction – GDPR
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. So, EU residents will now have better control over their personal data, and how it is used, both in EU and outside.
Orcanos and GDPR Compliance
Orcanos respects our users’ data privacy and protection. Orcanos has never used users data for advertising or as a revenue stream, or presented adds, and we never will, not for paying customers or on free trials. This means that Orcanos have no necessity to collect and process users’ personal information beyond what is required for the functioning of our products.
Orcanos is getting toward GDPR compliance across all of its applications, by the time the regulation comes into effect. We have thoroughly analyzed GDPR requirements and made some initiatives, among them are:
- Compliance team – Create a dedicated team and system alerts to track GDPR related activities
- Personal data identification – Defining the personal data for each of Orcanos process and application, and documenting the various sources of data so it will be considered in Orcanos roadmap
- Personal data visibility – An important aspect of GDPR is how the personal data is used. Orcanos is exploring ways to allow users to control the visibility and protection of their personal data.
- Data security – Orcanos is implementing IT policies and procedures that provide end-to-end security.
- Transferring data – Control how personal data is exported.
- Reviews – of security and privacy processes, contracts with third parties & customers
- Identification – Identify the Personally Identifiable Information (PII)/Personal data that is being collected, and analyze how this information is being processed, stored, retained and deleted
- Third parties – Assess the third parties Orcanos works with
- Mitigation procedures – Orcanos will establish procedures to handle cases where GDPR breach occurs
- PIA – Establish & conduct Privacy Impact Assessment (PIA)
Complying with GDPR requirements can take long time and efforts. Orcanos will implement the following controls, to allow better protection of user data:
- Better access controls
- Encrypt, or delete user data
- Enhance security for user data
More information about GDPR
Terms and requirements
- Data subject – A natural person residing in the EU who is the subject of the data
- Data controller – Determines the purpose and means of processing the data
- Data processor – Processes data on the instructions of the controller
- Supervisory authorities – Public authorities who monitor the application of the regulation
- Personal data – data which relate to a living individual who can be identified. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
- PII – Personal Identifiable Information – this is personal data
- Explicit consent – Data subjects must be informed about how their personal data will be processed in. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
- Right to access – At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
- Right to be forgotten – The data subject can request the controller to remove their personal information from the controller’s systems.
- Right to be informed
- Right to access
- Right to rectification
- Right to restrict processing
- Data portability – The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.
- Data Protection Officer – Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
- Privacy Impact Assessments (PIA) – Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
- Breach notification – Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
Who does GDPR applies to
GDPR applies to any organization that works with the personal data of EU residents.
This law doesn’t have territorial boundaries. Once organization processes personal data of subjects of the EU, it comes under the jurisdiction of the law.