Another Addendum? Navisite, the GDPR, and the DPA
As you may know, the European Union’s (EU) General Data Protection Regulation (GDPR) is the new European data regulation standard. The GDPR aims primarily to give control to citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU. With respect to data processing, well-defined obligations around data handling are set forth in the standard, with specific punishment for non-compliance.
This offers a perfect opportunity to talk about the business relationships that exist between controller, joint controllers, and processors responsible for protecting personal information, as defined in the standard.
Controller vs. Processor
According to Article 4 of the GDPR,
Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
In order to help our clients (the Controller) with reaching and maintaining compliance on your GDPR journey, Navisite (the Processor) provides a comprehensive Data Processing Agreement (DPA). This approach enables our clients to clearly understand the security measures both the Controller and Processor have taken to secure your customer’s data.
We recommend our clients participate in DPIA activities prior to requesting our DPA.
What is a DPIA?
Data Protection Impact Assessments (DPIAs) help organizations identify, assess and mitigate or minimize privacy risks with data processing activities.
DPIAs also support the accountability principle, as they help organizations comply with the requirements of the General Data Protection Regulation (GDPR) and demonstrate that appropriate measures have been taken to ensure compliance.
Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR, and could lead to fines of up to 2% of an organization’s annual global turnover or €10 million – whichever is higher.
Together with our partners and in-house experts, we are prepared to help you meet your GDPR compliance goals, with an end-to-end security and privacy-by-design approach.
We are focused on helping you protect the privacy of your data subjects and their information. We do so by mapping controls to the environment to protect data wherever appropriate (at-rest, in-transit and in-use).
The GDPR is not prescriptive in nature and does not specify concrete security requirements that must be implemented. The approach to mapping adequate security controls to the data type and classifications must be determined by the individual organization, based on the DPIA and risk profile.
We recommend leveraging existing security frameworks, such as ISO 27001, NIST 800-53 or other industry specific certifications like HIPAA, SOC, and PCI-DSS, to satisfy compliance.
The security policies and controls implemented will have to meet all industry-specific security requirements, as well as regulatory requirements, and reduce the risks specific to processing and storage of personal data.
Navisite relies on a shared-responsibility model to meet the business objectives of our clients. We partner with client business leaders that need the necessary controls, which lead to end-to-end security. Although GDPR legislation does not specify concrete security requirements that must be implemented, we have assessed our controls’ readiness for the new standard. Our portfolio of solutions are foundational for our GDPR initiatives and preparedness, giving our clients breach notification, data security, identity governance and access, and threat-protection capabilities.
Navisite continues to expand on our portfolio of solutions to offer the highest levels of assurance around the security of data. Moreover, our efforts to align to frameworks like ISO 27001 and achieving SOC1/2 certifications show our commitment to industry-recognized standards concerning security. These combined efforts as a whole result in reducing the risks specific to processing and storage of personal data.