By Veronique Haverhals, managing director RSH, the Netherlands
We are all aware of the new Global Data Protection Directive in the EU and the serious consequences non- compliance can have for our reputation, our customers and our industry. Especially since we have to deal with “a special category of personal data” on a day to day bases. Unfortunately diving deep into the details of the highly-convoluted text of the Regulation can leave one’s head spinning. Using legal advise, we have pulled out the key elements or rules that lay the groundwork for its larger principles that are relevant for our industry.
The essence of GDPR for our industry:
- Systematically securely storesensitive data under full encryption automatically to prevent loss breach, theft and unauthorized access
- Systematically secure all methods of transfer, usage and transmission of all sensitive data
- Monitor all usage, transfer, and transmission of sensitive data
- Sensitive data must be securedacross all borders
- Show explicit consent and providefor the rights of EU citizens to be forgotten or removed
Our current way of working and our IT environment is compliant. The additional GDPR regulation and expected more stringent demands from our clients made us decide to look for a solution that makes us compliant when the GDPR needs to be implemented before May 2018. In addition to the mentioned requirements, a couple of things were really important for us: ISO 27001 certification, data-
encryption, track record in data privacy of the provider, user friendliness for the assignees, ease of use for us as users and of course above all alignment with a long Dutch tradition: a good price – quality ratio! While looking for advice and tooling, there appears to be a whole industry where many parties like consultants, lawyers and IT companies provide advice, checklists and whitepapers, workshops, standard solutions and training sessions. As far as we could find out, a specific solutions for GDPR and the mobility industry did not appear to exist.
How does it work?
The software-as-a-service solution uses the highest available encryption technology and is ISO 27001-13 certified. A digital vault or safe is created for each of the assignees. Each assignee will receive a request to securely upload the necessary confidential information for immigration or relocation via a link, after personal contact has been made. Secure uploading is possible with pc or tablet or smartphone. The documents are automatically stored safely / encrypted in a central vault that is only accessible to a selected number of employees and, if desired, by the assignee him/herself. Each time the safe is opened and information is forwarded to a third party, this will be registered. This way of working eliminates the risk of personal information being sent via unsafe email or being processed on individual pc’s of employees. After a file is closed, we have opted for long term secure e-archiving. We as RSH pay a small annual license fee and an additional fee for each safe we use. The company will periodically provide us with updates.
This solution is now being developed and the first version will be implemented with RSH at the beginning of November. The major additional benefit is that we can streamline our processes and significantly reduce our risks, especially when it involves manual handling of documents. The server where our data will be stored, is currently located in the Netherlands but can be placed in any jurisdiction as desired. A simple link (API) can be made to existing workflow management applications.
With this solution we aim to make a big step towards GDPR compliancy, minimizing the extra cost of implementing GDPR and maintaining our high service levels.