In May 2018, a European privacy law, the General Data Protection Regulation (GDPR), is due to take effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.
Clarizen sees the GDPR as the most recent step forward in streamlining data protection requirements across the EU and an opportunity to deepen our commitment to customer data security. Starting in 2017, Clarizen analyzed the requirements of the GDPR; we are working to make all the necessary enhancements to our products, contracts, and documentation to support compliance with GDPR. Clarizen will comply with all applicable requirements of the GDPR in the delivery of our SaaS products to our customers.
Who does the data protection law apply to?
The law applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- a company established outside the EU offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU.
Does GDPR apply to Clarizen?
Answer: Yes, the application of the data protection regulation depends not on the size of the company but on the nature of processing activities and the potential for storage of personally identifiable information (PII).
The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data.
Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by Clarizen or by a large corporation, trigger the application of more stringent rules.
However, some of the obligations of the GDPR may not apply to Clarizen and our SaaS products.
For instance, companies with fewer than 250 employees, like Clarizen, are not required to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.
Similarly, companies with fewer than 250 employees will only have to appoint a Data Protection Officer if processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.
Key changes under GDPR:
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
Controls and notifications
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
IT and training
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts