General Data Protection Regulation

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

A data protection officer, DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organizations comply with their legal obligations and for GDPR manage the security of personal data.

HR | How does GDPR apply to company employees?

HR | How does GDPR apply to company employees?

With GDPR, if a US company has employees or contractors in the EU, employers need to take notice of the ways in which they process employee data protection, the purposes for which they process employee data and the processes and procedures in place for the collecting,

What SAP applications help with Right of Access?

What SAP applications help with Right of Access?

Art. 15 “Right of access by the data subject” - The data subject shall have the right to obtain from the controller confirmation as to whether or not gdpr personal data concerning him or her are being processed, and, if that is the case, access to the gdpr personal data plus other details.  There are other examples too.

GDPR Implementation | How do we automatically identify all personal data in a SAP system landscape?

GDPR Implementation | How do we automatically identify all personal data in a SAP system landscape?

Sophia software provides discovery analytics that helps with the first step of implementing the GDPR compliance process by reporting on what personal data is in your landscape and where it is stored.

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

What is a data processing inventory?

A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose.  A data processing inventory is aligned with how the business works, making it is easy for the business to engage.

The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.

Is GDPR consent required for the use of anonymous data?

Is GDPR consent required for the use of anonymous data?

The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR  fines.  

What is a Data Protection Impact Assessment (DPIA)?

What is a Data Protection Impact Assessment (DPIA)?

With the new regulations taking place in May, the GDPR requires a Data Protection impact assessment (DPIA). A data protection impact assessment helps identify the risks when handling personal data and provides a structured process for your company. This assessment increases the transparency and provides a structure for unknown processes that involve dealing with personal data that reduces the risk of non-compliance with GDPR.

GDPR Legal | What Is A Data Registry or a Records-Processing-Register?

GDPR Legal | What Is A Data Registry or a Records-Processing-Register?

What is a data registry? 

In this workshop, Natuvion walks you not only through the requirements of creating a data registry for your company but in doing so also helps you find a way to comply with other GDPR articles. This includes an analyzation of the different basis of processing and grounds for deletion including many others that build the necessary information needed for a data registry.

GDPR | What are Binding Corporate Rules (BCRs)?

GDPR | What are Binding Corporate Rules (BCRs)?

Cross-border data transfers.

The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules GDPR (BCRs).

 

GDPR | Changes for Prospect Management and Prospect Consent

The GDPR changes prospect and customer engagement rules.

The conditions for obtaining prospect consent are stricter under GDPR requirements, as the individual must have the right to withdraw consent at any time. There is also a presumption that consent will not be valid unless separate consents are obtained for different processing activities.

  1. Newsletters | This means you have to be able to prove that the individual agreed to a certain action, like receiving a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.
  2. Marketing and sales activities | Companies will have to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. For example in order to sign up for communications, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email.
  3. Audit Trails | Organizations must prove that consent was given in a case when the individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reports information detailing what the contact opted into and how.  It must also be possible to permanently delete data from your CRM systems.
  4. Purchase marketing lists | The company is responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data.
  5. Trade Shows | In the corporate world, sales people meet potential customers at a trade show, they exchange business cards, and they add the contacts to the company’s mailing list when they come back to the office. In 2018, this will not be possible anymore. Companies will have to look at new ways of collecting trade show prospect information.

To learn more about managing your prospect data, schedule a one-day workshop for Natuvion to build your GDPR road map.

Is there a document available online which lists everything that is considered GDPR personal data?

In the General Data Protection Regulation, the personal data definition is formulated very generally. Below, we list some examples. However, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal.

The GDPR regulation applies to any kind of data concerning a determinate or determinable individual.  Below we listed some examples we see at our customers but there are more;

 

  1. Personal employee data (name, address, date of birth, etc.)
  2. Information about customers, patients, clients (marketing databases, medical records, contact lists, any contact information)
  3. Data transferred to third parties (accounting books, credit registers, direct marketing)
  4. Non-public personal data of business partners and providers
  5. IP (Internet Protocol) addresses
  6. Cookie identifiers, or others such as Radio Frequency Identification (RFID) tags
  7. Camera records
  8. Iris scan
  9. User ID and passwords - access registration
  10. Smart meter data
  11. Biometric data
  12. Health data
  13. Membership of a labor organization
personaldata.JPG

What is a SAP Gold Partner, why is this important for The GDPR?

What is a SAP Gold Partner, why is this important for The GDPR?

Natuvion is a SAP Gold Partner.

Do we need data privacy consent from individuals to use real data in secondary systems?

Do we need data privacy consent from individuals to use real data in secondary systems?

The best way to eliminate your risk is to anonymize the data in secondary systems.  Anonymizing the data removes the need for data privacy consent and (with proof) removes the systems from GDPR compliance processing, while still providing the data for analysis or testing. 

The Value of iAPP

IAPP_BRONZE.FINAL-01.png

The International Association of Privacy Professionals (IAPP) is the largest and most comprehensive global information privacy community and resource, helping the Natuvion team develop and advance their careers and help our customers manage and protect their data.  

At Natuvion, we are committed to providing a forum for our privacy and data consultants to be certified in and keep up to date with best practices, track data and privacy trends, data protection, information auditing, information security, legal compliance and/or risk management to ensure we are meeting the needs of our clients.