GDPR is Coming. We’re Ready, Are You?
In April 2016, the European Parliament passed the General Data Protection Regulation (GDPR). The GDPR will strengthen the security and privacy of individuals’ data in the European Union (EU). The regulations are meant to empower individuals and change the way that organizations treat data privacy. The GDPR will replace the EU Data Protection Directive, otherwise known as Directive 95/46/EC.
Symplicity is happy to announce that Symplicity and Symplicity products will comply with the GDPR on the enforcement date of May 25th, 2018. We’re excited to comply with the GDPR because it raises security, privacy, and data protection standards. Symplicity is happy to be a resource for our clients to help them comply with the GDPR themselves.
What is the GDPR?
The GDPR is an EU-passed privacy law that harmonizes the various national data protection laws under a single set of rules that are directly enforceable throughout the EU. It becomes enforceable on May 25th, 2018.
What does the GDPR regulate?
All organizations that operate in the EU, and process personal data of EU residents (“data subjects“), are subject to the GDPR. The GDPR regulates the processing of that data. According to the GDPR, processing data means any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
What is a controller, and what is a processor?
According to article 4 of the EU GDPR…
Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
For example, a bank (controller) collects the data of its clients when the client opens an account, but it is another organization (processor) that stores the data produced by the bank.
Both the bank and the organization storing the data are responsible for handling the personal data of the customers.
When using a Symplicity product, am I the controller or processor?
It’s important to note that controllers and processors have different responsibilities under the EU GDPR. A university that is using a Symplicity product would be the controller, since it is entering the student data into the system, and Symplicity would be the processor since Symplicity is storing the data for the university. Under Symplicity policies, Symplicity university clients own their data.
What are my responsibilities as a controller?
According to article 5 of the GDPR, the controller should be responsible for, compliance with GDPR principles outlined in article 2. Some of those principles include:
- Data processed lawfully, fairly, and in a transparent manner
- Purpose limitation
- Data minimization
- Storage Limitations
- Integrity and confidentiality
According to article 24, controllers shall be responsible for, “Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
This means you may need to assign roles or responsibilities for data protection and conduct the appropriate data protection impact assessment and/or risk mitigation plan to establish controls and processes to ensure the necessary data protection measures are in place.
Symplicity’s Commitment to Data Protection
As a leader in the education software space, Symplicity already maintains many compliance certifications and annual audits. As an example of our commitment to maintaining robust security and data protection practices, Symplicity is certified to be compliant with the ISO 27001 standard, which is a framework for Information Security Management. Documentation of these practices is available upon request.
In addition, Symplicity is committed to working with our EU clients to maintain compliance with Symplicity’s obligations as a data processor and assisting our clients in achieving their GDPR compliance requirements. As with existing legal requirements, we know that maintaining compliance with the GDPR requires a collaborative partnership between Symplicity and our clients.