10 ways to prepare for GDPR compliance
Here are the top ten things you should be considering and planning for when it comes to GDPR compliance. You'll also learn how Episerver has been preparing for GDPR.
This checklist highlights some of the main GDPR responsibilities, what you need to do, and how Episerver's features and processes help you become compliant.
|Minimize data necessary to complete a task or transaction that has been initiated by the individual||Reduce the amount of personally identifiable information they store, and erase it when no longer necessary||One of the ISO27001 guidelines we have in place is the data minimization. Customers should only submit data to Episerver for processing that is necessary.|
|Obtain Data Subject Consent/affirmative opt-in||Provide clear and affirmative consent to the processing of private data. Pre-ticked boxes are not allowed. Single opt-in boxes for multiple consent types are also not allowed.||Episerver will process data as instructed by customers but customers are responsible for such consent and opt-ins. We will provide reference solutions that include opt-in capture that comply with GDPR regulations as a guide.|
|Commit to confidentiality persons authorised to process personal data||Appoint a Data Protection Officer (DPO) (mandatory for certain companies). Part of their role will be to document and put in place processes around security and data handling||All employees sign an NDA which covers access, handling and treatment of data. In addition, required training is provided to address data privacy, information security, and confidentiality. Episerver has also appointed a global DPO.|
|Secure data physically and technically||Adopt a GDPR mandatory privacy risk impact assessment, which is a risk-based approach, before undertaking higher-risk data processing activities. In order to analyze and minimize the risks to their data subjects, data controllers will be required to conduct privacy impact assessments where privacy breach risks are high.||Episerver are in the process of attaining ISO 27001 certification for all products (some products have already achieved certification), the industry standard for an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. In addition, Episerver is Privacy Shield certified and has supporting controls in place to support the GDPR.|
|Manage record keeping and breach notification||Report data breaches to their data protection authority within 72 hours of becoming aware of it unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question.||Episerver conducts proper logging of activities and conducts reoccurring audits. Episerver also has a formal Security Incident Management policy that was developed to accommodate applicable standards and regulations including what is required for the GDPR.|
|Provide PII info to subject on request within 30 days||Have processes in place to provide information requests within 30 days.||Episerver has processes in place to assist customer with requests to provide standard PII data on a subject from within our services.|
|Keep PII data only as long as necessary||Keep personal information only for the length of time it takes to carry out the task that the subject has engaged with you for and shouldn’t be kept for longer or used for any other purpose.||Episerver has SLA’s for data retention across all products including how long data will be stored in the system, when data will be deleted, what happens upon termination of contract and justification for why data is stored as long as it is. Episerver will also comply with customers instruction for deletion as requested.|
|Delete of data if requested under “the right to be forgotten”||Providing the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed the data subject can request erasure of their personal data and processes need to be put in place for this.||Episerver provides the ability to delete PII data from the products.|
|Build in privacy into the design - privacy by design||Make sure when you carry out vendor assessments that you are choosing a supplier that can help deliver against your GDPR requirements.||Episerver’s Information Security Management System is compliant to the ISO 27001:2013 standard. All products shall undergo a DPIA.|