TCDI has taken great strides in our 30 years of business to safeguard our clients’ data and to ensure compliance with several national and global guidelines of data security, most notably, HIPAA, Safe Harbor, and most recently, the Privacy Shield. The GDPR, which goes into effect tomorrow, May 25th 2018, imposes new obligations and expands data protection measures for EU citizens’ personal and private data.
The TCDI Privacy and Compliance team has been actively preparing for these changes for more than a year. The most notable changes in the GDPR from the EU Data Privacy Directive, the current global data protection guidelines to which we are compliant, include:
- Expanded territorial scope, including EU based as well as non-EU based companies
- Stricter rules on notification, consent and collection
- Expanded rights of individuals
- Direct obligations on data processors
- Obligations of accountability
- Stricter breach notification rules
- Obligations associated with data transfers
- Imposable high fines and a broader range of powers for data protection authorities
These areas, and more, are what TCDI has been working on to be ready for, and compliant with, the GDPR. Below is an overview of two key areas in which we’ve updated our policies and procedures to ensure compliance with these new regulations – appointing a Data Protection Officer and better defining our responsibilities and policies around being a data processor. Talking about everything we’ve done to be GDPR compliant as a data processor could fill a book, so for this blog post I’ll just highlight two important updates we’ve made, which are a great foundation for everything else we’ve done in the privacy realm.
Data Protection Officer
In order to comply with our Privacy Shield certification and the GDPR, we appointed Tom MacKenzie, our head of Privacy and Compliance, as our Data Protection Officer (DPO). Tom is a long-term employee, a senior executive at TCDI and holds the CIPP certification from the International Association of Privacy Professionals. Tom is charged with ensuring our privacy and security policies are fully developed, maintained and implemented. His chief obligation is to protect employee and customer data from unauthorized access, use and disclosure and organizationally he reports directly to TCDI’s CEO. Tom’s other responsibilities include staying abreast of both corporate operations and current privacy laws, as well as communication and training on TCDI’s privacy and security policies to both clients and staff.
Tom has been studying the requirements for GDPR compliance and working with all TCDI teams internally to ensure we are adequately protecting our clients’ data. He began by creating a gap analysis between our current policies and strategies, and those uniquely required by the GDPR, and has worked for the last year to remove those gaps.
Further, Tom has managed our internal and external audits to ensure compliance with our data security protocols and continues to develop and administer all internal training on data security compliance.
Controller and Processor
For eDiscovery and Litigation Management providers, like TCDI, one of the biggest changes in the GDPR is in regards to data controllers and processors. To define the terms, a data controller determines the purposes and means of processing the data and a data processor processes that data on behalf of a controller.
Under the GDPR, TCDI operates as a data processor and processes data only on instructions from the data controller. As a data processor, we understand our role and obligations for establishing and implementing appropriate technical and organizational controls to operate and maintain secure processing environments. According to these new regulations, we now have increased compliance obligations and are subject to the same fines, and other penalties, as data controllers.
Due to this extension of responsibility, we are updating our contracts with multi-national clients and partners to both identify ourselves as a processor and clearly document the scope and standards for the processing being requested of us by controllers. Additionally, our intent is to now include standard contractual clauses in all contracts, as referenced in Article 28, which articulate responsibilities between us and our data controller clients.
We have also set up internal auditing at TCDI to ensure compliance to the obligations for managing and protecting data from the EU. Our Compliance team is working to update and augment internal policies and practices as they relate to data storage, use or transfer and all employees are being trained on the impact of the GDPR on their role.
Controller and Processor Cooperation
The relationship between controller and processor is one of mutual responsibility in many areas. However, we also understand that, as a processor, we have the responsibility to aid controllers with whom we work in the fulfillment of their responsibilities as well.
New compliance obligations for processors will ensure TCDI exercises a greater awareness that the scope of our client’s (controller’s) instructions are clear and meet their own obligations under the regulations.
TCDI will collaborate with data controllers on the subject matter, expected duration and purpose of the processing, as well as the types of personal data and categories of data subjects involved. TCDI will document, and make visible in contracts with controllers, a full range of processing activities as approved by controllers. Changes to these processing activities will be documented and communicated to the controller for approval.
Through the GDPR, data controllers are subject to many requirements associated with the rights of data subjects. TCDI will aide data controllers, where permitted and appropriate, with the compliance of the controller’s obligations. Additionally, TCDI is committed to cooperation with supervisory authorities.
Additional changes on data handling include onward transfers of data from a TCDI processing environment will now be completed by the data controller or under explicit direction of the data controller. TCDI will make no transfer of data on its own accord. And in the case of a personal data breach, TCDI will act within the given time parameters to notify and provide data controllers with information outlined in the regulation.
Conclusion
Going forward, we know that we have to better partner with our clients to ensure GDPR compliance on the data we receive, and we are dedicated to doing so, for both our protection under the GDPR, as well as the protection of our clients. Knowing what data we have, and understanding all the ways in which we must protect that data, will allow us to ensure compliance with the GDPR and provide protection for all EU citizens’ personal data.