The EU General Data Protection Regulation (“GDPR”) comes into force on May 25, 2018, and brings with it the most significant changes to European Union data protection law in two decades.
The GDPR aims to give citizens of EU countries stronger, more consistent rights to access and control their personal information. While the GDPR is limited in scope to citizens of EU countries, we believe the GDPR is ushering in new best practices for the protection of personal data, and we pride ourselves on being in line with such practices.
The Search Agency is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place and we are updating and expanding this program in line with the heightened standards of the GDPR.
What We’re Doing
The Search Agency has established a data privacy team to promote awareness of the GDPR across the organization, assess GDPR’s impact, identify potential gap areas and implement new policies, procedures and measures that we decide are desirable to ensure we maintain best practices in data protection worldwide. Here’s a snapshot of what we’re doing:
- Information Audit: Carrying out a company-wide information audit on the personal information we hold, where it comes from, how and why it’s processed and if and to whom it’s disclosed.
- Policies & Procedures: Updating data protection policies and procedures, as needed, to meet the standards of the GDPR, including:
- Data Protection: Updating our data protection policy and procedure manual to enhance accountability and governance measures with a dedicated focus on privacy by design and the rights of individuals.
- Data Retention & Erasure: Updating our retention policy and schedule to ensure we meet the “data minimization” and “storage limitation” principles and that personal information is stored, archived and destroyed in accordance with GDPR principles.
- Data Breaches: Updating our breach procedures to ensure our existing safeguards identify, assess, investigate and report any personal data breach at the earliest possible time.
- Employee Education: Educating employees through employee training materials to ensure a company-wide understanding and approach to all data protection policies and enforcement.
- Information Security & Technical/Organizational Measures: Ensuring we have several layers of security measures in place to protect personal information from unauthorized access, alteration, disclosure and destruction, including access controls, secure file transfer (sFTP), pseudonymization and CRM integration.
The Search Agency and the GDPR: Q&A
Is The Search Agency a “data controller” or “data processor” under the GDPR?
The Search Agency is a data processor with respect to EU customer data that The Search Agency clients control and request we process in various ways. In certain limited instances, The Search Agency may also be a data controller under the GDPR. We understand the requirements of both roles under the GDPR and will work with our clients to help them achieve their compliance goals.
How will the GDPR impact The Search Agency operations?
The GDPR imposes strict requirements on the way businesses collect, store, manage and process personal data of citizens of EU member countries. As data processors for clients, the GDPR mandates the implementation of stricter data handling processes, with a focus on security and accountability.
Is The Search Agency currently GDPR compliant?
The Search Agency views the GDPR requirements as the new standard for best practices in personal data collection and protection. While compliance with the GDPR is required with respect to personal data of citizens of EU member countries, The Search Agency aims to apply GDPR standards to its entire business regardless of the nationalities of subjects. The design of The Search Agency’s revised processes reinforce the core principles of the GDPR:
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Data Security
What steps were taken towards GDPR compliance in Q1 – Q2?
- Appoint a data protection officer
- Internal analysis & strategy
- Ensure technical and organizational measures
- Audit of data security processes
- Ensure only necessary data is collected
- Ensure top level security of data
- Data breach plan & procedure
- Finalize data handling processes
- Internal training
Can clients use The Search Agency to obtain the explicit consent needed for processing of customer data under GDPR?
Since client properties (i.e. websites and apps) capture customer data directly, by GDPR definition, clients are data controllers which carry the responsibility of obtaining consent (GDPR Article 4).
Will The Search Agency make updates to their data handling practices to restrict customer data from being available to employees who don’t need it in their role?
Yes. The Search Agency will appoint one member of the account team to process customer data on behalf of the client. That individual will ensure proper processing of customer data, based on GDPR processing guidelines, and will be responsible for the removal of client customer data from The Search Agency servers.
Will The Search Agency make process updates to allow for the deletion of all customer data upon request?
Yes. The Search Agency has instituted processes that require immediate deletion of client customer data from The Search Agency servers as soon as it’s processed. Additionally, The Search Agency will work with clients to maintain an “exclusion list,” to be used for marketing purposes, which will consist of users who have exercised their right to be forgotten.
Does The Search Agency have a personal data breach notification process?
Yes. We have a specific data breach notification procedure in place and respect the deadlines of the GDPR in communicating a breach.