AssurX GDPR Compliance: Benefits and Lessons Learned
Proposed in 2012 and now in effect, the General Data Protection Regulation (GDPR) is the newest landmark of data protection legislation. GDPR compliance legislation is designed to better protect personal data of individuals in the European Union (EU) by making companies more accountable for how they collect, use, share and store data. Fines for non-compliance can reach up to €20 million, or 4% of the worldwide annual revenue of the prior financial year.
Set Up for Success
As a company dedicated to developing solutions for quality management and compliance, AssurX approached the extensive scope of GDPR compliance readiness with the expertise to identify, document and remediate any process issues where data privacy is a concern.
Furthermore, because AssurX uses automation to track and trace all policies that govern the capture and sharing of data, the actual practice of mapping privacy controls was largely in place. The role of Data Protection Officer (DPO) was assumed by the company’s Director of Compliance. Having just passed a HIPAA compliance audit and attestation, AssurX was well-versed on how to approach GDPR privacy assessments to identify the potential impacts of breach or misuse of private information.
Data Protection Beyond IT
The GDPR requires specific compliance for data controllers and data processors. While it applies to IT security practices, GDPR extends to any other unit that collects and/or processes personal information, including but not limited to marketing, finance and suppliers.
In addition, the GDPR requires careful attention to valid consent or informed consent. Individuals in the EU have more power over how their information is being used. For example, a person can request to be “forgotten,” which means their information can never be used again for any purpose. Therefore, controls must be put in place to enable any person from the EU to determine what data can be collected and processed.
As a result, all data processing agreements (DPAs) in place with suppliers, customers and contractors were reviewed and updated. GDPR readiness resulted in a dual end-game; enacting practices to meet GDPR compliance, and reinforcing a bi-directional commitment to compliance.
As outlined in GDPR regulations, data processors are accountable for data breaches. Contractors and suppliers that are digitally connected to personal data and processing activity must also meet all obligations of the processor. This creates an ecosystem of accountability where transparency is key. Each person or entity that is contracted with AssurX has agreed in writing to implement data protection practices that align with the high standards AssurX uses and submit to audits when requested.
GDPR readiness became a litmus test of AssurX’s existing data protection and supplier management framework. Auditing the collection, security, processing and retention of information from a holistic perspective strengthened the control of all data that would be covered under GDPR and information privacy in general.
“A significant practice during GDPR readiness was the thorough evaluation of agreements with our suppliers and assessing what risks may or may not exist,” explained Tamar June, President and CEO of AssurX. “It helped bring us into compliance by reviewing and refreshing our requirements for current and future agreements. This helped identify additional strengths as well as opportunities to improve our business and service to our customers.”
GDPR Compliance Best Practices
- Train all employees: Provide GDPR compliance training for all employees to the extent it impacts their role. Use the opportunity to reinforce company-wide security practices (e.g. mobile device security). Empower employees to report concerns.
- Inform customers: Let your EU customers know that you are committed to the GDPR and be responsive to inquiries.
- Have a single point of contact: Your Data Protection Officer (DPO) should be the single point of contact for all GDPR compliance inquires. Taking too long or failing to address a possible compliance issue could end up triggering a report.
- Ensure change control is in place: Prior to process changes in your marketing and other various processes, including software development, be sure to assess for any impact in relation to GDPR requirements.
- Review your assessments periodically: On a pre-scheduled basis, review your GDPR compliance assessments to identify any gaps or vulnerabilities.
- Audit your processes frequently: Pre-schedule audits to validate that there have been no undocumented or unapproved changes (e.g. unsanctioned marketing software or out of date DPAs).
AssurX has put the privacy of its customers first for over 20 years with enterprise-grade physical, network, and information security protocols for its hosted eQMS and compliance management solutions in the AssurX Cloud QMS. Customers in highly regulated industries including pharmaceutical, medical device, energy & utilities and high-tech should be confident in AssurX’s privacy-by-design architecture, which has been in practice long before GDPR.
Being GDPR compliant is not as simple as making sure you have good network security in place. GDPR compliance is a deep dive into every system that processes personal data to improve privacy governance practices and commitment to compliance.