The European Union has taken a large step towards improving the security and protection of EU residents’ personal data in the form of the General Data Protection Regulation (GDPR). Effective from 25th May 2018, it will place strict requirements on companies and employers as to how data of individuals are handled.
This regulation doesn’t stop with companies that are based within the EU, but expands to cover any company which processes the data of an EU resident. Even if you have one employee or one user of your service that is based in the EU, then you need to comply with this regulation.
Enough of the general topics. Let’s talk about how this affects TimeTac.
Many areas are affected by this regulation, but we believe that transparency is the main topic for us to focus on. This relates to our internal handling of personal data, as well as communication of important information with our customers and their employees. We will continue to develop and maintain our applications and services, while concentrating throughout on making sure all of our operations are clear, streamlined and in the best interests of everyone.
TimeTac’s compliance with the regulation, and being able to prove that compliance, are both very close to the hearts of our customers, and we can understand why. We want to ensure the appropriate technical and operational measures are in place to look after everyone’s personal data. As with many regulations and legal texts, there is room for subjective interpretation, which means it’s not easy to say “we are GDPR compliant”, however we are working tirelessly with our legal and technical teams to do all that we can.
How we are preparing for the GDPR
- Personal data identification – We are identifying where personal data is collected and where it used. This can also be direct or indirect personal data, so it covers a larger area than most people think. It was important that we took our time with this step.
- Processes and processors – Once we have the data, we need to map out what we do with it. We documented these processes and labelled which of our carefully selected partners receive this data for helping carry out our services.
- Data security – Ensuring that the technical and organisational measures are in place, to make sure that both machine and human efforts are made to prevent unauthorised access, accidental loss and the like.
- Documentation of compliance – We created a complete overview of the data and where it flows, including the creation of various policies along the way to further improve those technical and organisational procedures in place.
- Mechanisms for data subject rights – Putting the procedures in place for dealing with data subject rights, such as accessing the personal data we process regarding them.
How does this affect our customers?
New customers will see almost identical processes to what we currently have. Updated agreements and policies will need to be carefully read and accepted before using our software or services – it’s important we all take data protection seriously.
Existing customers will be informed very soon regarding our updated agreements and policies. These updates will come into force to align our services with the GDPR and modern data protection standards.
It’s worth noting the impact this regulation will have on our customers in the United Kingdom. Brexit will have no impact here. The GDPR will become effective before the UK leaves the EU and therefore this regulation will still apply to organisations in the UK, or those processing the data of residents of the UK. It is also believed that the regulation, or a very similar version thereof, will be written into national law after Brexit.
You don’t need to do anything just now. We will be in touch in the coming weeks to communicate the next steps and any updates we have.
If you have any questions regarding the GDPR or our preparation, please do get in touch via firstname.lastname@example.org.