Riada’s approach to the GDPR

On May 25th 2018, a new data protection regulation goes into effect and all companies processing personal identifiable information about EU citizens are affected.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Riada has been following the evolvement of GDPR closely and we are taking necessary actions to comply with this new regulation. It has always been natural for us to care for your data privacy and we believe that GDPR is a great framework that all companies should actively embrace and comply to.

What is GDPR?

The EU General Data Protection Regulation aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.

One of the key aspects of the GDPR is that it aims to create consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to be able to demonstrate the security of the data they are processing and their compliance with the GDPR on a continual basis, by implementing and regularly reviewing robust technical and organisational measures, as well as compliance policies.

What is Personal Data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Key Points of the GDPR

Riada’s approach to the GDPR

Up until 25 May 2018, Riada is obligated to fulfil the requirements set forth by the Swedish authority Datainspektionen and more specific the regulation called Personuppgiftslagen (PUL). GDPR will replace PUL and the significant differences certainly require a company like Riada to prepare, adjust and comply to meet the new requirements.

From a data protection perspective, we have identified two major areas where we play the part as controller or processor of personal data.

  1. Riada Cloud – Riada as data processor
    Riada Cloud is a hosted solution where we offer a wide variety of applications to our customers. The server infrastructure is owned by Amazon Web Services (AWS) and the data is located in the European Union. In this setup, Riada is categorized as Data Processors, the customer is categorized as Data Controller and AWS as Sub-Processor.
  2. General business – Riada as data controller
    This area covers our day to day business and we are controlling personal data from a wide variety of sources i.e. emails, contact forms, website visits, newsletters, event registration, lists of employees, subcontractors, vendors, customers, partners etc. The data we collect is needed to operate and run our day-to-day business.

Steps we are taking to ensure that we comply with the GDPR

Technical compliance

We are continuing to design our information systems to comply with the GDPR. The systems includes, but are not limited to: websites, CRM systems, HR systems and marketing systems. This means that we are able to track who has access to the information, when it has been accessed, how old the information is etc. We also ensure that we have the ability to find defined data as well as being able to modify and delete the data in our systems. For over a year we have also been managing passwords with market leading and certified tools that protect passwords with the highest security standards.

The Riada Cloud infrastructure has evolved a lot the last year and is now stronger than ever. We have routines in place to identify and manage hacker attacks, data breaches, unauthorised access and DDoS attacks. To the largest possible extent, we’re using encrypted traffic, disks and databases. We have also a secure and well functional disaster/recovery process that are tested regularly. All Riada Cloud customers are signing our GDPR addendum which details our role as data processor and the customer as data controller.

From the technical perspective, we are making sure that we are:

  • able to detect and identify different sorts of attacks on our infrastructure
  • able to detect data breaches
  • able to find, alter, and delete different sorts of personal data in our systems
  • able to extract reports on existing personal data in our systems
  • able to move and export personal data in an acceptable format from our systems
  • able to identify who has access to certain data, when it was accessed and how it might have been processed
  • designing our systems with high awareness and requirements on data privacy and security

Organisational compliance

We have been making several changes the last year from the organisational perspective. This includes everything from trainings in data privacy for our staff to implementing processes for data management. We have also created routines on how we manage and access personal data in our organisation. A privacy policy has been published and other measurements are taken to guarantee that we comply with the GDPR from an organizational perspective.

Marketing

Some marketing activities includes sending invites, newsletters or offerings. In those cases we collect and control personal data of our target audience. We are making sure that you are able to give your explicit consent on receiving this kind of communication as well as being able to opt out from such communication. 

Human Resources

Riada is a growing company and we control personal data of our employees and prospective candidates. We ensure you that personal data of employees and candidates are erased as soon as we don’t have any active employment or recruitment process with the data subject.

In all cases, we’re tracking the origins of the personal data that we control and we delete the data within reasonable time frame as stated in the privacy policy.

I want to know more!

We’ve received a lot of questions from customers about our work with GDPR and this article might answer a few of these questions. For questions regarding GDPR that still needs answers, please reach out to trust@riada.se or call us at +46 8 733 31 25


References

https://riada.se/privacy-policy/
https://www.eugdpr.org/eugdpr.org.html

https://www.datainspektionen.se/dataskyddsreformen/
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

No Comments

Post A Comment