What is the GDPR ?
What the GDPR Changes, Compared to the Former Regulations on Data Protection
The GDPR (General Data Protection Regulation) comes to reinforce from 25 May 2018 the Data Protection Act in order to protect individuals against the abusive processing of personal data. The purpose of this regulation is to standardise the legal framework throughout Europe and to make companies even more responsible for such processing. For this purpose, the penalties could reach for companies up to 4% of international turnover or 20 million euros, whichever is higher.
Who is Affected by this Regulation?
Almost all European companies are concerned, as soon as personal data are processed. This includes any data that can directly or indirectly identify a natural person.
New Obligations… or almost (DPO, PIA, data processing register…)
Designation of a DPO
In most cases, the company concerned must appoint a DPO (Data Protection Officer), who will be responsible for compliance with internal and external regulations (service providers, customers, etc.).
The DPO, who is also responsible for raising awareness and training his staff, will act as an intermediary between the company and the CNIL (in France, or any other competent organization in another country). He will keep a processing register if the size of the company exceeds 250 employees or if it processes at-risk data (processing of data relating to convictions or offences, processing of data of elderly or minors, etc.).
Source : https://gdpr-info.eu/art-30-gdpr/
Who can be DPO? The delegate may be an internal collaborator or an external consultant, provided that he has “professional qualities and specific knowledge”. In all cases, it must “benefit from the material and organisational means, resources and positioning enabling it to carry out its missions”. The DPO does not have a function to determine the purposes and means of processing, but must have access to these data in order to categorise them and to carry out an impact study independently (source: cnil.fr)
A data registry is an internally managed document that ensures that the processing operations comply with the legal obligations set out in the GDPR.
The registry in question must contain:
- the types of processing of personal data
- the different categories of personal data used
- the reasons that legitimize this treatment
- all controllers and processors
- the source and destination of the data
Privacy Impact Assessment
Impact analysis in the context of the RGPD is often called PIA (for Privacy Impact Assessment).
The GDPR requires a data protection impact assessment in cases where data compromises are likely to create high risks to the rights and freedoms of data subjects. A guide has been set up on the CNIL website .
Rights of the Persons Concerned
Furthermore, the natural persons concerned have the right to request that all their data be deleted (cf. right to erase or forget Article 17 of the GDPR) or that they be communicated to them (right to information, cf. Articles 13 and 14 of the DGPS and right of access, cf. Article 15), as soon as possible.
These persons also have the right to request that their data be rectified or supplemented (right of rectification, cf. Article 16 of the GDPR), or that they be notified in the event of a data breach (Article 19 of the GDPR).
In terms of security, the regulation recommends certain standards, such as data encryption, limiting access errors to the member area (10 attempts maximum for the CNIL), defining a unique identifier for each user, the obligation to change the password after resetting… Article 32 of the GDPR provides some information on this subject, specifying that the controller and the processor (any person involved in the processing of data) must put in place technical measures (encryption, anonymisation, restriction of access, etc.) and organisational measures (internal to the undertaking) adapted to the risk.
In addition to the controller (the company), all parties involved in data processing (e.g. subcontractors) must provide sufficient guarantees regarding the security measures taken at their level to ensure compliance with this regulation, even if they are not geographically located within the European Union. Indeed, it is sufficient that the subjects of the processing are European citizens for the organisation which processes their data independently of its geographical position to have the obligation to comply with the GDPR.
This compliance implies that :
- means must be put in place to ensure the confidentiality, integrity and availability of treatment systems and services
- a procedure is in place to test, analyse and evaluate the effectiveness of existing measures
- means exist to ensure the availability of and access to personal data
The impact of the GDPR on Treasury Software
A cash management software is likely to process daily numerous personal data. As such, the editors can’t escape the GDPR, even if they do not directly process these data, because they are likely to be the subject of analysis downstream from various services (support, consulting, R&D…) in order to improve the various proposed software, to fix bugs or quite simply for the provision of these data in SaaS mode.
The software publisher is thus considered as a subcontractor of its customers (data controllers) and must provide them with the necessary guarantees concerning its conformity. This approach limits its liability by reviewing its contractual clauses and requesting the revision of the established contract.
Data Security: Strengthening the Security of the Website, Internal Database, SaaS Software, Licensing, Anonymization…
Cash management softwares are particularly concerned with security, as the processing carried out can represent a significant risk for the data controller’s clients (the software publisher’s clients’ clients).
Specific measures can thus be set up by the customer with the help of the publisher, such as for example:
- the implementation of means to temporally limit the use of these data (via automatic deletion)
- data encryption
- anonymization or pseudonymization of certain data
Therefore, DataLog Finance invites you to get closer to our teams in order to study the means to put in place so that the data processing through your treasury software is in conformity with the GPDR (implemented on May 25, 2018).
GDPR Editor Side : How DataLog Finance Becomes Compliant
As the effective date of the GDPR is May 25, 2018, DataLog Finance has implemented a number of measures and a new organization to meet these obligations.
Implementation of a Registry
DataLog Finance maintains a registry of various categories of personal data likely to be internally processed and as part of our publishing activities. This register contains the data of the controller, the reasons for the processing (their purposes), the types of persons concerned by the processing (software users, customer/prospect files, etc.)
Designation of a DPO
DataLog Finance has appointed an internal DPO responsible for keeping the processing register, ensuring compliance with data protection regulations, communicating with the CNIL if necessary and acting as a privileged interlocutor for persons concerned by data processing for any request or question.
The new policy takes into account the new standards of the CNIL (types of data collected, purposes of processing, identity and contact details of the controller, storage periods, right to rectification, updating and erasure of data…).
Security: Encryption, Access Limitation, Norms and Standards
In terms of security, DataLog Finance ensures compliance with the standards and measures to be taken to protect its customers’ and employees’ data.
All DataLog Finance software see their database encrypted upon connection. It is also possible to encrypt it at any time thanks to the possibilities natively offered by the various RDBMS used by our solutions.
Our SaaS solutions meet strict standards to ensure enhanced security for our users:
- Iso 27001: international information security standard to identify and control risks related to data compromise
- PCI DSS: payment card processing standard; its function is to protect cardholder data and sensitive identification data
Other Means Put in Place
We reformulated the contracts established with our subcontractors, notably on the SaaS part.
We have signed a data processing agreement with all our employees concerned, and a charter with those who are directly concerned by the possible processing of customer data (particularly at the SaaS level, because we do not have access to our customers’ data in License mode).
We have implemented advanced security measures (data encryption, anonymization, limitation of their use…) for the various solutions we use.
In addition, we want all Bugzilla users on the client side to provide us with a generic address, so that we have the least amount of personal client data on our servers, and are in the process of completing this process.
Client Side GDPR Compliance
DataLog Finance’s solutions allow quick access to GDPR compliance on the treasury software part, after specific support and delivery of scripts dedicated to the customer’s environment.
In addition, our tools natively have encrypted databases (encryption at login or via a DBMS parameter) and the ability to archive / delete data beyond a defined time. We invite you to contact us to study the additional steps to be taken so that the processing of your cash data is fully in line with the European requirements of the GDPR.