The Principles and Practicalities of the GDPR
The General Data Protection Regulation (GDPR), which will become enforceable from May 25th 2018, aims to harmonise and toughen minimum standards for protecting personal information across the European Union and the countries with which Member States do business.
This second blog on GDPR explores the Principles and explains how TrackBack has approached the task of ensuring that we are compliant with this new law before it becomes enforceable.
The Principles
To comply with GDPR, organisations will need to abide by the six key privacy principles, which are already well documented online:
- Lawfulness, fairness and transparency
- Purpose limitations
- Data minimisation
- Accuracy
- Storage limitations
- Integrity and confidentiality
Applying the Principles in Practice
Principles 1 and 2
The responsibility for meeting principles 1 and 2 falls to our clients, in collecting the data lawfully and outlining how the data is to be used at the point when the data is collected. We have agreed Data Sharing Agreements with our clients which ensure that we only use data for the purpose expressly outlined in our service agreement.
Principle 3
TrackBack has always taken an approach that requests the minimum amount of customer information in order to perform our service. The customer data we take from a vehicle manufacturer is limited to basic contact information and anything that the client believes is important from a reporting classification perspective. In the provision of our service, we also collect call recordings and email transcripts, which are deemed customer information.
Principle 4
We process thousands of leads every hour, and our systems are specifically designed to return accurate information time and time again. Our systems are also completely scalable, and they are able to cope with increased levels of demands on our services at short notice. So far TrackBack have processed and measured the follow-up to over 8 million leads.
Principle 5
The length of time we store customer data is will depend upon operational requirements, to provide the services our clients require. We will agree with our clients in advance how long each piece of data about a customer will be kept and the reason for particular decision. TrackBack will support our clients by making recommendations of the storage of the different items of data based on our experience.
Principle 6
TrackBack takes the security of our data extremely seriously. We store our client’s data in secure hosting environments, which align to the client’s own data security policies. Our system infrastructure is constantly monitored and regularly penetration tested to validate the security of our data against external threats. The internal access to this data is strictly governed and audited by our own internal policies and procedures, to ensure that best practice principles like “Segregation of Duties” and “minimum access rights” are adhered to.
We have 3 different levels of hosting which have been designed to support the security and segregation requirements of our clients. All levels are fully GDPR compliant but some clients security requirements go beyond the standard GDPR compliance requirements.
Summary
TrackBack has been preparing for the implementation of GDPR for many months. Our Chief Information Security Officer, Oscar O’Connor, has been instrumental in reviewing our current processes, and the data held by TrackBack. We are extremely confident that we meet the new GDPR regulations in advance of their implementation, and are having individual conversations with our clients to ensure that our systems are aligned to their own security requirements.