What is the GDPR?
The GDPR (or General Data Protection Regulation, formally Regulation (EU) 2016/679), is a European (EU) regulation which unifies and strengthens the data protection rights of people in the EU.
It replaces the current European data protection framework (formally Directive 95/46/EC), and became enforceable from 25 May 2018.
From this time, a number of additional expectations apply to organisations that process the personal data of people in the EU, including EU-based employees or customers.
For more on the GDPR, you are encouraged to speak to your own data protection or compliance team. Or refer to the website of the supervisory authority responsible for ensuring GDPR-compliance in your primary operating country.
For example, the Data Protection Commissioner in Ireland (DPC), the Information Commissioner’s Office in the UK (ICO), the Commission Nationale de l’Informatique et des Libertés in France (CNIL), etc.
In short: GDPR is a new European data privacy directive, which came into force from May 2018, and will likely impact your decisions on processing personal data such as email addresses.
How is GDPR different than the Data Protection Act?
While the GDPR builds upon and ultimately replaces the Data Protection Act of 1990’s, there are notable enhancements to keep up with the latest technological developments over the past two decades. A few key highlights are noted below, but organisations should read the complete General Data Protection Regulation to fully understand the differences.
Does GDPR require data to stay in the EU or to be stored in the EU?
To best of our understanding there is no requirement in the GDPR that personal data must stay in the EU as long as there is a legal framework in place to validate the data transfer.
GDPR recognises several frameworks including the Privacy Shield.
What is the difference between a Data Processor and Data Controller?
Within our business, the data controller is the party who determines the purposes and means of the processing of personal data; which in this case is the client.
Any time data is collected the controller is the individual making the data request.
The processor in this scenario, is SGA.
While the controller is the vehicle for requesting said data, the processor processes the personal data on behalf of the controller.
Personal data can include, but is not limited to, an individual’s name, contact information, email address, date of birth, and IP address.
Is SGA GDPR Compliant?
SGA’s compliance team, along with the data subject experts supported by external business, technical and legal advisors with practical experience in data protection and wider security aspects, have implemented controls that fulfil GDPR requirements.
We ensure that our customers continuously benefit from our attention to information security and data protection.
SGA is proud of the robust security measures that are already in place and we do not expect any significant changes in these measures as a result of our GDPR readiness.
Kindly note that SGA’s information security management system is based on ISO 27001:2013 which is a globally accepted data security standard.
Would there be any impact on SGA’s service capabilities because of GDPR?
SGA’s class-leading services will operate as usual.
SGA will keep Customers informed of updates that refer to the GDPR, as these become available.
Can SGA provide a certificate of being GDPR compliant?
There is no accredited third-party certification for GDPR at present. This may change in the future for example, the European Commission may take forward a “Data Protection Seal”. SGA will keep watch on developments in this area.
How Can I Request Access to My Personal Information?
As A SGA Customer Will Anything Change?
SGA’s Privacy Notices have updated to contain wording that aligns with the requirements of GDPR
SGA’s clients, vendors, partners are being notified via email, telephone, in-service alerts
Where users have already consented to receiving material such as the SGA Email, we have provided the ability for users to change or withdraw consent, for example adapting the frequency of Email or unsubscribing
As part of our service roadmap we review the business purpose for using personal information and as such there may be future changes to Privacy Notices and potentially consent aspects
Will SGA Customers Need a Data Processing Agreement?
Yes. A draft DP Agreement will be made available to the customers on request.
I have a question that is not answered here. Can you help?
Please feel free to submit additional questions about the GDPR to our team using this link [contact us] and we will do our best to respond in a timely fashion. Please remember that questions specific to your organisation should be addressed directly to your internal Data Protection Officer and/or legal team.