The European Union's General Data Protection Regulation (GDPR) is in force. ZAP is committed to helping its customers comply with this new regulation.
What is the GDPR
The General Data Protection Regulation (GDPR) is a European regulation of 27 April 2016 which aims to protect individuals and their personal data.
Indeed, many services have developed on the web and monetize the personal data of users, often without their knowledge. The risks go beyond the unwanted marketing and commercial use, it is an important social issue.
Although the GDPR does not introduce many new concepts, this regulation considerably increases the compliance requirements of personal data controllers.
Which companies are impacted?
Any organization that collects or processes personal data within the European Union is subject to this regulation, regardless of its location.
The companies mainly targeted are those that collect, use or market personal data, often for marketing and commercial purposes. These are for example:
a search engine that displays advertising based on your searches,
an e-mail service that displays advertising based on the content of your messages,
a social network that pushes advertising information to you based on your profile,
an application that collects personal information for resale,
a service that cross-checks with different sources to target people.
Is my organization concerned?
Potentially all companies are concerned even if to varying degrees. So your company certainly manages sensitive data about people, for example in CRM or personnel management tools.
The GDPR provides for a deterrent sanction of up to €20 million or 4% of turnover, whichever is higher. It is therefore important to address this issue in order to comply with the GDPR.
Each company must examine this regulation to determine whether or not it applies to its organization.
According to Article 3 of the GDPR, the regulation applies to the processing of personal data relating to individuals within the EU by a controller or a processor, where the processing activities are related:
where the data processing activities relate to offers of goods and services to data subjects within the EU
monitoring the behaviour of these people within the EU (profiling)
When does the GDPR apply?
The GDPR applies as of May 25, 2018. Even if you find out late, it's never too late to start acting. Your business probably doesn't have a business model that relies on the exploitation of personal data and is therefore not on the front line. On the other hand, it is necessary to start the first actions (obligation of means).
What does my organization need to do to prepare?
Each organization must determine whether or not it must comply with the GDPR. Here are some tips to help you:
Understanding the regulations
Make sure you understand what the regulations mean for your organization.
It is also necessary to talk to key decision-makers so that they understand the likely impact of the GDPR in your organization. Do not underestimate the time and resources required to adapt to these regulations.
Determining whether you need to appoint a Data Protection Officer
Under the GDPR, it becomes mandatory for certain controllers and subcontractors to appoint a data protection officer.
This will be the case for all authorities and public bodies that process personal data.
This will also be the case for organizations that, as a main activity, systematically and on a large scale monitor individuals or process particular categories of personal data on a large scale. (Article 29 of the GDPR completes this subject).
Carry out an assessment of the use of personal data
It is necessary to determine where and for what purpose your organization collects personal data.
Do you share this information? If so, to whom?
Work is required to enumerate and GDPR-comply your existing business processes.
Review your consent practices
Processing of personal data is possible as long as a legal basis exists.
For example, do you currently ask your users to consent to the collection and processing of their personal data?
Suivre la méthodologie du CNPD
We advise you to follow the 7-step methodology proposed by the CNPD to structure your approach.
The software vendor ZAP and the GDPR
How are software vendors concerned?
A software vendor is not responsible for the treatments implemented by its customers.
The person in charge of processing is the owner of the data.
On the other hand, the CNPD considers that it is up to the data controller to choose software solutions that provide proof of compliance in terms of "Data Protection".
Software vendors are therefore now concerned. They must apply best practices such as security principles, encryption, documentation of software security issues, minimization of personal data, ...
This is the principle of accountability, where whoever actually processes personal data must prove that they are complying with the GDPR.
Software vendors in SaaS mode are particularly concerned. In this case, the software vendor becomes a service provider that outsources the hosting of its software and its customers' data to a datacenter. An adapted service contract must be put in place to frame the outsourcing of hosting, including data security.
What does this have to do with ZAP?
ZAP publishes Squareboard, a software solution offering collaborative intranet/extranet, social network, document management and knowledge base functionalities. This leads our clients to manage personal or sensitive data concerning people, mainly employees. They can also be external members of the organization such as suppliers, partners or customers.
The positive points with Squareboard and ZAP?
A number of points should be highlighted that point in the right direction for the GDPR:
ZAP's business model is that of a "classic" publisher. The data remains the property of the customer. We are therefore not in the case of these companies that monetize personal data.
The purpose of Squareboard is to communicate, collaborate, manage documents, share knowledge... what ZAP sums up in "Unify - Communicate - Collaborate - Accomplish".
Squareboard's design is entirely focused on this goal. We are therefore not in the case where the displayed purpose hides another purpose.
Authenticated users collaborating on Squareboard do so conscientiously on a voluntary basis and have the ability to modify the data that concerns them. We are not in the case of companies that collect personal data without the knowledge of their users as long as they are well informed.
Finally, ZAP is particularly attentive to issues of confidentiality and security. The Squareboard solution integrates the "Privacy by Design" and application protection mechanisms recommended by OWASP standards.
Open Web Application Security Project (OWASP) is a recognized online community working on web application security. Its philosophy is to be both free and open to all. It aims to publish Web security recommendations and to provide Internet users, administrators and companies with reference methods and tools to control the level of security of their Web applications.
What are ZAP's commitments?
ZAP was already committed, prior to the application of the GDPR, to data protection, which is an inherent part of the design of ZAP's software and services offerings.
This conception includes the new GDPR regulations. ZAP will continue to develop Squareboard, improving features and offering new ones, in compliance with the GDPR to help its customers to best apply the requirements of this regulation. ZAP offers many features that meet the GDPR requirements, including fine and configurable access rights mechanisms, retention and deletion mechanisms, encryption of documents and exchanges between client and server workstations, strong password protection, ...
To go further
The official reference of the GDPR is: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
If you have any questions regarding personal data, please contact Mr. Xavier Schaeffer, ZAP's data protection officer, who is responsible for ensuring that your rights are respected. You can reach him by email or or by phone at +352 260 931.
ZAP will only respond to requests from an authorized representative of a customer and not from an individual employee.