GDPR Readiness at Celigo
In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation (GDPR), first proposed in 2012, to go into effect on May 25, 2018.
GDPR offers a new framework for data protection with increased obligations for organizations. GDPR focuses on protecting personal data and handing control of it back to the subject of the data.
We’ve been receiving a lot of questions from our Customers, Vendors, Prospects, and Partners. So we’ve provided some more information in the following areas:
- 1. Customer GDPR Roll-Out
- 2. Governance Structure and Celigo’s Data Protection Officer
- 3. Data Mapping
- 4. Information Security
- 5. Privacy Impact Assessments
- 6. Responding to Subject Access Requests / Rectification / Deletion
- 7. Data Breach Reporting
- 9. Who to Contact
1. Customer GDPR Roll-Out
Where customers are processing personal data with Celigo, as this is against third party data sources, we are asking our customers to advise us on the lawful processing condition for using our products/services. This ‘reason’ why will need to be determined by our customer, as they are the Data Controller. Celigo is the Data Processor who acts under their instruction.
There are six lawful processing conditions:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate interest
- Public interest
- Vital interest
2. Governance Structure and Celigo’s Data Protection Officer
Data privacy is discussed throughout Celigo with regular presentations to all of our Employees, the Executive Team, and members of our Board of Directors.
Celigo’s named Data Protection Officer is Jessica Curry.
Jessica leads the Privacy and Data Compliance initiative, where each Department Head has a core focus on the products Celigo delivers, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.
3. Data Mapping
Celigo has completed Article 30; our Data Mapping exercise. We know what data we have, where it’s held, how we access it, the classification of the data, records for transfer and flowcharts to show how it moves between systems, processes and countries.
4. Information Security
Led by our Chief Technology Officer, Scott Henderson the Engineering Team is focussed on maintaining an information security program which covers everything you would expect and more.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture across our product family; www.celigo.com, integrator.io, and cloudextend.io.
5. Privacy Impact Assessments
Where appropriate, a Privacy Impact Assessment will be completed and evidence gathered, such as copies of privacy notices, a due diligence questionnaire, periodic testing.
6. Responding to Subject Access Requests / Rectification / Deletion
Celigo has a process in place to manage these requests and sees no issue responding within the new GDPR required timescale of 30 days
7. Data Breach Reporting
The ICO or Information Commissioner’s Office has a Blog that clears up a lot of myths around data breach reporting. Art. 33 (2) states as data processor, Celigo’s obligation is to notify data controllers without undue delay after becoming aware of it. WP29 have provided some guidance on this which states:
“The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, WP29 recommends an immediate notification by the processor to the controller, with further information about the breach provided in phases as information becomes available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.”
Celigo’s position is, the regulation states without “undue delay”, therefore this is what we will abide by. However, we recognise that for our Customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident.
9. Who to Contact
You can reach our Compliance team via email for any GDPR related questions at: email@example.com
Updated: May 15, 2018 | v1