The EU’s General Data Protection Regulation (GDPR)
The GDPR is an EU regulation targeted at harmonising the hugely varied data protection laws across Europe. The UK Government is currently reviewing the latest generation of Data Protection Laws that build on top of and extends the GDPR. The UK's third generation of data protection law has now received the Royal Assent and its main provisions commenced on 25 May 2018.
Shared Responsibilities for GDPRThe two main parties identified within the GDPR regulations are:
Data ControllersA controller is an entity that determines the purposes, conditions, and means of the processing of personal data.
Data ProcessorThe processor is an entity which processes personal data on behalf of the controller.
TechnologyOne as Data ProcessorIn delivering our SaaS service to our customers, TechnologyOne has a built a class leading security and compliance program that is designed to provide customers with a high level of surety that their Security and Privacy needs are in good hands.
TechnologyOne audit reports and other materials are available for customers to request and use to meet their own compliance obligations. This compliance program is continually updated as additional guidelines or amendments to existing standards are released. Some of the key areas as they relate to GDPR are described below.
SecurityTechnologyOne has developed a security framework that passes the highest levels of external verification, testing and scrutiny. There is a continual program of testing and audit by external third parties to verify the security of the system along with the integrity of the people and processes that manage that system.
PrivacyTechnologyOne has a robust Privacy and Security incident handling plan for the handling of issues related to Security or Privacy breaches and concerns. This handles all required notifications and communication with required regulatory bodies and has the customer (Data Controller) at the centre of process to ensure the fastest, most rigorous and least disruptive handling of reported incidents.
Continuous ImprovementThe legislative landscape is shifting substantially with regard to privacy and is being updated regularly with country specific requirements. The TechnologyOne Compliance Program ensures that all changes and new requirements are incorporated in a timely manner. This is underpinned by a continual program or Privacy Impact Assessments (PIA) across all aspects of the Data Processor offering to our customers.
Customer as Data ControllerAs well as leveraging the compliance capabilities TechnologyOne has as a Data Processor, Customers, (as Data Controllers) are able to utilise a range of capabilities and functions to meet their Data Controller obligations’:
Authentication and Access rightsTechnologyOne offers a suite of capabilities to help customers comply with the management of access rights under the GDPR. Data Controllers are able to manage and control their users’ access to the application and the data they are able to access once logged in. A key component of this is the implementation of role-based access along with the Data Controller determining and configuring their preferred authentication platform.
Data Subject rightsTechnologyOne offers a number of mechanisms by which the Data Controller can meet their GDPR obligations as it relates to data subject, such as ‘access, ‘rectification’, ‘erasure’, ‘portability’ etc.
TechnologyOne is committed to complying with the GDPR and all applicable privacy and data protection laws and regulations in its operations and delivery of services to its customers. We are also committed to supporting and assisting our customers to meet their GDPR and privacy obligations.
TechnologyOne has implemented a compliance program with assistance from external advisers to meet the "processor" obligations as described under the GDPR.
TechnologyOne has provided a GDPR Product Assistance paper that aims to assist our customers to comply with their obligations. This paper is available to customers on request by emailing firstname.lastname@example.org.
We note that there are currently no approved certification bodies that would provide external assurance that we comply with GDPR, as per the ICO's website. However, TechnologyOne will continue to monitor this.