fact sheet
Committed to GDPR compliance
Beeline is committed to handling client and partner data in a manner that is fully compliant with applicable data privacy, security, and governance regulations, including GDPR.
GDPR COMPLIANT
What is the GDPR?
The General Data Protection Regulation (GDPR) was enacted in 2016 by the European Parliament and the Council of the European Union (EU). It is active as of May 2018 and aims to create a harmonized data protection law framework across the EU. It also aims to give citizens back control of their data while imposing strict rules on those hosting and “processing” this data anywhere in the world.
Key provisions of this regulation include:
- Individual rights, including the right to data portability and the right to be forgotten
- Explanation for the legal basis for processing personal data
-
Provisions to enhance the protection of children’s personal data
-
Privacy impact assessment requirements
- Appointment of Data Protection Officer (DPO) in “data controller” and “data processor” organizations
- Safeguards for overseas data transfers
-
New reporting guidelines for data breaches
- Steep penalties for non-compliance
Roles of data controllers and data processors
GDPR defines a “data controller” as the entity that determines the purposes and means of processing personal data and a “data processor” as the entity that processes personal data on behalf of the controller. GDPR assigns unique responsibilities to controllers and processors, but both are responsible for ensuring the confidentiality and security of personal data.
As a processor of data under the terms of GDPR, Beeline has taken all necessary steps to ensure compliance. This includes rewriting policies and appointing a DPO. We have also established processes to handle complaints or concerns about how personal data is used. Furthermore, Beeline provides an Alternative Dispute Resolution (ADR) procedure and has created a data breach response procedure. This is to comply with reporting requirements and timelines.
One of the most challenging aspects of GDPR is the data subject’s “right to be forgotten.” This means that individuals can request that their data be erased. However, GDPR acknowledges that legal obligations and professional guidelines may require data controllers or processors to retain certain kinds of data, such as financial and assignment data, for specific periods. Beeline has established retention policies and regular reviews to balance the regulations’ requirements with other legal and professional responsibilities. Beeline will comply with this provision of GDPR when any of our clients, as data controllers, direct us to remove such personal data.
Under GDPR, Beeline must “implement appropriate technical and organizational measures” as a data processor to ensure data protection by design and default, security of processing, sound detection and notification of breaches, and logging and monitoring of operations. Beeline also maintains comprehensive documentation of the risks and measures to mitigate them.
“Data protection by design and default” (GDPR Article 25)
This means strictly controlling who has access to data and how. It requires those who need to access or process that data to operate with sufficient access rights to perform their professional duties. Only the minimum necessary data should be collected and stored, and there should be an explicit reason for all data retained, the extent of processing, the storage period, and who can access it. Privacy by design calls for the inclusion of data protection from the onset of system design, rather than as an addition.
“Records of processing activities” (GDPR Article 30)
Log and monitor operations. This involves maintaining an audit record of processing activities on personal data and monitoring access to processing systems.
“Security of processing” (GDPR Article 32)
Data required for research and reporting should be preudonymized as far as possible to prevent individual data from being identified. All personal data, even that which is preudonymized, should be encrypted, preferably both in transit and at rest. To maintain confidentiality, integrity, availability and resilience, all systems that hold personal data must be designed to be highly available and secure. And the security must be regularly tested.
“Notification of a personal data breach to the supervisory authority” (GDPR Article 33)
Processors must notify controllers of any data breaches “without undue delay,” and controllers must notify the competent supervisory authority within 72 hours. The impact of data breaches of personal data records should be predicted and all procedures to address any breaches should be documented.
“Data protection impact assessment” (GDPR Article 35)
All risks and security measures for processing must be documented alongside the processing operations that involve personal data, including an explanation as to why they are necessary and proportional. The measures taken to address risks and protect personal data, and demonstrate compliance with the GDPR must be documented as well.
Proactive preparation for GDPR compliance
Beeline currently complies with data security and privacy laws around the world. We established a global project to comply with GDPR, both in our internal processes and our commercial offerings. As part of our GDPR project, we are enhancing our ongoing commitment to privacy by design. We are working to limit the amount and use of personal data in our solutions to what is specifically required. This work will also strengthen controls already in place to limit access to personal data, including mobile applications that incorporate sensible default settings to prevent client or personal data from being inadvertently shared with others. We recognize that our customers depend on Beeline’s solutions to be compliant with all relevant laws and regulations, and we are well-positioned to meet this critical need. If you would like to learn more about Beeline’s commitment to GPDR compliance, please contact your Beeline representative.