What does the GDPR require?
The GDPR establishes rules for how organizations can process the personal data of data subjects who are in the European Union. While many of these rules already existed under previous EU law, some rules are now stricter. The rules reach beyond the physical borders of the EU and apply to any organisation, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behaviour of those people.
How is Intsig preparing for the GDPR?
Since early 2017, Intsig has been preparing for the GDPR with a formal compliance project headed by our Chief Compliance Officer. Much of the preparation is happening behind the scenes but a number of initiatives will be visible to our customers. Listed below are some of the steps we have taken:
Assessment: We have carefully reviewed where and how our relevant services collect, use and store personal data and we are updating procedures policies, standards, governance and documentation as needed.
Products: We are evaluating potential new features to add to our various products to assist our customers in meeting various GDPR compliance obligations, such as notice and consent requirements, if necessary.
Cross-Border Transfers of EU Personal Data: Cross-border transfers of personal data will occur in relation to some of our products. In addition to ensuring our contractual commitments meet the GDPR requirements, Intsig has standard contractual clauses in place where necessary.
Employee Training and Awareness: Our employees will receive training on GDPR-specific content. In addition, Intsig will conduct ongoing awareness initiatives on a variety of topics, including data protection, security and privacy.
How to help my company comply with the GDPR?
When acting as processors, we will only process your personal data in accordance with your instructions and we have a duty to inform you if we reasonably believe your instructions infringe upon the GDPR requirements, or other European Union or Member State data protection legislation. However, we will have no responsibility for the accuracy and the quality of the personal data that is supplied to us.
As controllers, our customers have a number of GDPR obligations to data subjects, such as expanded data privacy rights, data breach notification, and more robust consent requirements. We are committed to helping our clients comply with the GDPR and are working to enhance our products and services to support Intsig’s and our clients’ GDPR compliance. We will assist as required and when we are best placed to take a particular compliance measure.
How to assist my company in fulfilling data subject rights?
We will promptly notify a customer if we receive any requests from a data subject to exercise their rights, including, without limitation, rights relating to access, rectification, restriction of processing, objection to processing, data portability (if applicable), and erasure. To the extent reasonably possible and legally permitted, we will assist customers in fulfilling their obligations to respond to a data subject request under applicable data privacy legislation.
Who can access personal data that Intsig processes on behalf of its customers?
We may permit our employees, contractors (including the employees and contractors of our affiliates) and authorised sub-processors to access personal provided that they are bound by confidentiality covenants and only to the extent that they need access to perform services for our clients.
How does Intsig manage sub-processors?
We will obtain general written authorisation from our clients in the relevant data processing agreement before transferring their personal data to a sub-processor. We will inform our clients of any changes in authorised sub-processors. Further, we will bind our sub-processors contractually to provide sufficient guarantees to implement technical and organisational measures in compliance with the GDPR, and we will remain liable for their acts and omissions.
How long does Intsig keep personal data?
At the end of a contract for services, upon a client’s request, we will return or securely destroy personal data. This is subject to any limitations described in the relevant data processing agreement between us and our customers as well as any restrictions prescribed by law that prevent us from returning or destroying such personal data. Clients may delete individual or organization-level personal data by using available features in the Intsig products and/or services, or by contacting us.
How does Intsig ensure the security of Client Personal Data?
We implement and maintain many processes to ensure that Client Personal Data is kept secure. For instance, some of the measures we take include, but are not limited to:
Compliance Program: Ongoing data protection compliance program for ensuring adherence with applicable legislation.
Security: We have robust security measures in place to ensure the resilience of our networks and we have processes in place to track data and flag data breaches.
Restricted Processing: We only use Client Personal Data to provide the services our clients request and subject to confidentiality covenants.
Training: We ensure that personnel who process Client Personal Data have the necessary awareness in data protection and data security through training.
Verification: We screen both employees and prospective vendors and we monitor existing vendors to ensure their integrity and compliance with applicable data protection laws and contractual obligations.
How does Intsig handle data breaches?
Intsig uses industry-standard technologies and processes to monitor the IT systems supporting our products and services against security breaches. Suspected breaches are escalated internally according to established procedures. Clients who are controllers will be notified in the most expedient time possible, consistent with steps to investigate, verify, and establish the scope of the breach. Pursuant to the terms of the relevant data processing agreement, Intsig will cooperate with such clients to notify regulators and data subjects as required by applicable law.
How will the GDPR impact Intsig’s marketing activities?
Intsig has updated its marketing practices and procedures by implementing a new marketing policy in line with GDPR requirements. This new policy, which incorporates key data privacy principles, sets out clear and strict rules about how personal information should be collected/acquired and used for marketing purposes. As well as ensuring that our workforce receive appropriate training on our new policy, we will continue to promote and monitor their adherence with these new rules.