About GDPR

What is GDPR?

The GDPR is a new comprehensive data protection law (in effect May 25, 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updates and replaces all the national data protection laws (issued from the 1995 EU Data Protection Directive: DPD) currently in place with a single set of rules.

How was it before GDPR?

The key changes are the following: Expanded data privacy rights for EU individuals, data breach notification and added security requirements for organizations, as well as customer profiling and monitoring requirements. GDPR also includes binding Corporate Rules for organizations to legalize transfers of personal data outside the EU and a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations. Overall the GDPR provides a central point of enforcement by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

Does GDPR apply to my company?

If you are processing personal data in the context of an organization established in the EU, the GDPR will apply to you, regardless of whether you are processing personal data in the EU or not. “Processing” means any operation performed on personal data, such as collection, storage, transfer, dissemination or erasure.

If you are not established in the EU, the GDPR applies to you if you are offering goods or services (whether paid or free) to EU data subjects or monitoring the behavior of EU data subjects within the EU. Monitoring can be anything from putting cookies on a website to tracking the browsing behavior of data subjects to high tech surveillance activities.

Under European data protection law, organization processing personal data are divided into “Controllers,” or the entities which control the personal data, and “Processors,” the entities that process personal data only on the instructions of the Controllers. The GDPR applies to both Controllers and Processors.

Disclaimer

This letter is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Therefore, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.

Here is a List of Questions to Assess Your Level of Compliance With GDPR:

  • “What personal data do we collect/store?”
  • “Are we transferring the personal data outside the EU and if so, do we have adequate protections in place?”
  • “Are we collecting or processing any special categories of personal data, such as ‘Sensitive
  • Personal Data,’ children’s data, biometric or genetic data, etc. and if so, are we meeting the standards to collect, process and store it?”
  • “Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption or pseudonymization be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose?”
  • “Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?”
  • “Have we obtained it fairly? Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?”

 

What Will Change Under the GDPR?

Consent

Whenever a data subject is about to submit their personal information the data controller (usually a company) has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters.” Controllers will also be required to provide evidence that their processes are compliant and followed in each case. Previously, under the DPD, consent could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” mechanism. However, that will change under the GDPR which requires the data subject to signal agreement by “a statement or a clear affirmative action.”

Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to the processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt-in is becoming more important in the future.

New Rights for Individuals

The regulation also builds in two new rights for data subjects: a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests and a “right to data portability” that allows data subjects to demand a copy of their data in a common format. These two rights will now make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.

Access Requests

Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop to a 30-day period. In certain cases, organizations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organizations will need to have clear refusal policies and procedures in place and demonstrate why the request meets these criteria.

What Should a Customer Do?
  • Get buy-in and build a team
  • Raise awareness of the importance of GDPR compliance with organization leaders
  • Obtain executive support for necessary staff resources and financial investments
  • Choose someone to lead the effort in becoming GDPR-compliant
  • Build a steering committee of key functional leaders
  • Identify privacy champions throughout the organization
Assess the organization
  • Review existing privacy and security efforts to identify the needs
  • Identify all the systems where the organization stores personal data, and create a
  • data inventory
  • Create a register of data processing activities and carry out a privacy impact
  • assessment for each high-risk activity
Establish controls and processes
  • Ensure privacy notices are present wherever personal data is collected
  • Implement controls to limit the organization’s use of data to the purposes for which
  • it collected the data
  • Establish mechanisms to manage data subject consent preferences
  • Implement appropriate administrative, physical, and technological security measures
  • and processes to detect and respond to security breaches
  • Establish procedures for responding to data subject requests for access,
  • rectification, objection, restriction, portability, and deletion (right to be forgotten)
  • Enter into contracts with affiliates and vendors that collect or receive personal data
  • Establish a privacy impact assessments process
  • Administer employee and vendor privacy and security awareness training
Make Documents Compliant
  • Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intracompany data transfer agreements, and vendor contracts.
  • If required, appoint a data protection officer and identify the appropriate EU supervisory authority
  • Conduct periodic risk assessments

Trackforce Journey to GDPR Compliance

Trackforce is dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR, and are working to make enhancements to our products, contracts, and documentation to support compliance with the GDPR.

 

Product Roadmap

 

Right to be Forgotten

You may need to clear customer data history in order to comply with data protection and privacy regulations. Trackforce will offer you retention period options that can be applied to:
Personal Data Type Max. Retention Period Action Post Retention Period

Personal media (photos

& videos)

Up to 3 months after

creation

Deleted
Visitor data

Up to 3 months after the

visit

Anonymized
The GPS data history

Up to 6 months after

creation

Deleted
Training data

Up to 12 months after

employee’s departure

Deleted
All reports Up to 5 years after creation Deleted

The different activity

template fields

Up to 5 years after creation Anonymized

 

Here is how to set-up your GDPR parameters:

  • Go to settings > account settings
  • Click on GDPR settings
  • For each category, select the general Data Retention Period (the longest possible period will appear by default).
  • You can also set-up different retention periods for different customers using the set-up exceptions for customers option.

On your end, after termination of the business relationship with a client, you can keep his personal data for up to 5 years and his personal media (photos & videos) for up to 3 months.

Data Portability

You can use the Trackforce Platform to help you honor your customers’ requests to export their data. Data can be extracted upon request.

Security

Trackforce has security built into every layer of the platform. The infrastructure layer comes with replication, backup, encryption, and Disaster Recovery. Network services has encryption in transit and advanced threat detection with IPS/IDS. Our application services implement identity, authentication with two factors, and user permissions.

Restriction of Processing

Trackforce is enhancing its products so that the Controllers or Processors can technically restrict the personal data usage (for instance by limiting reports access or by allocating a data subject personal data to specific account sites). A disclaimer will also be printed on any PDF or email sent by the application, requesting the deletion of the document by the end of the retention period (the exact date will be indicated).

Our Legal Documentation

Accountability/Transparency

As we approach May 2018, Trackforce has nominated a Data Protection Officer (DPO) and is focused on GDPR compliance efforts. Our Legal team is busy ensuring our legal documentation (namely our Customer Terms of Service, our Data Processing Agreement and our Privacy Policy) will be updated to reflect any product changes and to include the mandatory Processor provisions required by Article 28 of the GDPR.

We have also created the email dpo@trackforce.com for all GDPR related questions and requests.

Consent

Throughout our organizational measures and legal documentation (namely our Customer Terms of Service, our Data Processing Agreement and our Privacy Policy), Trackforce ensures that the data subject has given their consent as defined by the GDPR, both at the collection and processing stages.

FAQ

Who should I contact to obtain my personal data?

You should email our DPO dpo@trackforce.com for all GDPR related questions.

 

Which documents shall I provide to obtain my personal data?

You should provide any document proving your identity.

 

Is it possible to change my GDPR setup once created?

Yes, at any time.

 

How long do you keep customers data?

Each client defines his preferred retention period within the GDPR law limitations

 

What shall I do if a customer wants to delete his data faster than the others?

You can create exceptions on the set-up page

 

Is it possible to recover my data once anonymized?

Anonymization, as defined by the GDPR, is irreversible.

 

What kind of personal data do you collect?

This depends on your security firm, kindly refer to them or their DPO if they have one.

 

What kind of data in your platform is subject to GDPR compliance?

Media with personal data, GPS history, visitor data, employee data, personal data fields in activity templates (it is up to each client to define the data that he needs to protect).

 

What happens if I have to document a serious incident with the insurance companies or with the justice?

It is the responsibility of the customer to download any required report before the end of the retention period. Upon expiry of this period, Trackforce will not be able to recover your data.

 

What happens if an email is sent with my (or my employees) information?

A disclaimer will be printed into any PDF or email sent by the application. The document’s recipient is responsible for complying with the GDPR requirements.

 

Can one Trackforce subsidiary access another country subsidiary’s data?

No; personal data are siloed and segmented from one subsidiary to another one. Each subsidiary can only access its own data.

 

Can Trackforce oblige its processors to be GDPR compliant?

No; however, as of May 25th, 2018, Trackforce will only call on subcontractors who present sufficient guarantees as for the compliance with the GDPR.

 

What will happen if Trackforce develops in the future new software solutions not included in the current compliance with the GDPR?

In order to remain GDPR compliant, Trackforce will conduct a Privacy Impact Assessment (PIA) for any new product launch.