On May 25th, the European Union’s “General Data Protection Regulation” (GDPR) takes effect. GDPR aims to give individuals more control of their data and how it’s used. It will be easier to access the data that organizations possess and to change the permissions they grant for it to be used or shared.
Amongst its requirements, GDPR emphasizes that companies, and especially B2C focused organizations, clearly ask for data usage consent, and that they explicitly respect the user’s rights. It will give control back to EU citizens around the rights of access, being “forgotten”, rectification, restricting processing, data portability and third-party notification.
For companies and particularly international businesses, the legislation aims to simplify the regulatory landscape. It encourages companies’ readiness to monitor data processing, recommends the appointment of a Data Protection Officer (DPO) and sets serious penalties for failures to notify authorities of data breaches, including fine up to €20 million or up to 4% of the annual worldwide turnover, whichever is the higher.
GDPR is forcing companies from all industries to take a hard look at their data policies. Readiness for the new legislation is, for example, the number one data protection initiative for more than half the multinational companies based in the United States (GDPR Pulse Survey).
What it Means for Us
As a global B2B SaaS vendor, UpClear views data security as a fundamental priority and welcomes this more comprehensive approach. We support clients across multiple continents, and we decided early on to host data over regional data centers in the USA, EU, and APAC for proximity and to be compliant with local regulations and requirements. We regularly review and update our Internal Security Policy (ISP) with our security partner, Digital Security, to be on top of the latest trends and regulations.
“It’s important for SaaS companies to address the issues of security early on. We have been advising and working with UpClear for some time now, and helped them put in place a good Information Security Policy framework,” says Jean-Claude Tapia, President of Digital Security.
For GDPR, we have evaluated the sections relevant to us and have implemented accordingly, including monitoring data flows, appointing a Data Protection Officer, and ensuring we clearly communicate our data and privacy policies. This will be a constant process, as GDPR and other regulations evolve with our changing global IT landscape.
If you have further questions about GDPR, either as a vendor like ourselves or an individual, we recommend reading some of the following: