GENERAL DATA PROTECTION REGULATION ABACUS DATA SYSTEMS, INC.’S COMMITMENT
Last Updated: April 5, 2018
Abacus Data Systems, Inc. (“Abacus,” “we,” “our,” and “us”) has always taken privacy and security seriously. The General Data Protection Regulation (“GDPR”) is a regulation intended to strengthen and unify data protection for all individuals within the European Union (“EU”). It also addresses the export of personal data outside the EU. The GDPR becomes enforceable on May 25, 2018.
Abacus is committed to keeping customer data private and safe. This commitment includes helping our clients understand and prepare for the GDPR. On this page, we’ll explain our plans to achieve GDPR compliance for ourselves.
COMMITMENT TO DATA PROTECTION & GDPR COMPLIANCE
Abacus is committed to being GDPR compliant by the May 25, 2018 deadline. Until that time, all our clients and consumers should be aware that Abacus currently adheres to all relevant data protection and privacy regulations within the EU and elsewhere.
Requirements are significant, and our team is working diligently to be compliant with the GDPR when it becomes enforceable. We are currently assessing processes and systems and reviewing current product features in order to implement necessary changes.
Abacus, which is headquartered in the US, has affiliated companies in the UK and therefore primarily follows the advice of the UK Information Commissioners Office (“ICO”) to ensure it is meeting its obligations under GDPR. The ICO lays out 12 key steps for GDPR preparedness.
1. Awareness. Abacus is working on ensuring all relevant Abacus staff and clients are aware of the GDPR regulations and that appropriate training and information are made available. As of this update, Abacus has been working with our lawyers to update our website and our employee handbooks to include information and policies related to the GDPR. Abacus has also interviewed and is in the process of engaging a GDPR expert to create internal briefing materials and to run training sessions for all Abacus staff.
2. Information Audit. The GDPR requires that organizations maintain records of all processing activities as well as the legal bases for processing such data. Abacus is currently preparing a full data audit of all information it holds and processes and the legal basis for processing (see section entitled “Consent” below). It is expected the full audit will be complete before May 25, 2018.
3. Communicating Privacy Information. Abacus is reviewing its current privacy notices in order to ensure any necessary changes are put in place in time for GDPR implementation.
4. Individuals’ Rights. Abacus will provide all individuals for which we either control or process personal data with the following rights:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- right not to be subject to automated decision making and profiling.
5. Subject Access Requests. Abacus will be fully compliant in handling Subject Access Requests (“SARs”) within the required one month from receipt deadline under the GDPR. The appropriate policies and procedures are currently being put in place.
6. Lawful Basis for Processing Personal Data. Businesses require a legal basis for processing personal data. There are six legal bases available, the most commonly used in the Cloud Hosting and Software as a Service (“SaaS”) industries are consent, legitimate interest, and contractual necessity. This involves a balancing of the legitimate interests of Abacus (for example, product improvement, and marketing) with the right to privacy of the individual. Abacus will be relying on a mixture of these legal bases, which will be determined after we conclude our Data Protection Impact Assessment (which is currently underway).
7. Consent. We are following the advice of our lawyers and the ICO guidance on consent under GDPR as well as preparing for the confirmation of consent where required. In the case where Abacus is considered a “Controller,” we are working to update our website and contracts so that users and clients understand what personal data we collect, how we collect it and what we do with it, and to provide users and clients with the opportunity to give explicit consent concerning the collection and use of their personal data. In the case where Abacus is considered a “Processor” or “Sub-Processor,” we are working to ensure that our clients are in compliance with GDPR regulations, and where appropriate, they have obtained consent to collect, use and process personal data.
8. Children. Our products and services are not intended for use by Children. We will work with our clients to ensure that, as Controllers and/or Processors, they are (or will be) GDPR compliant.
9. Data Breaches. As a cloud-based company, we've set high standards for security and we have invested in building robust security measures. Abacus has in place the appropriate policies and escalation procedures in the event of a personal data breach to ensure adequate detection, reporting and investigation.
10. Data Protection by Design and Data Protection Impact Assessments. Abacus is ensuring that all product and tech development has privacy by design built into the process. Privacy and security are vital to our product development and development philosophy.
11. Data Protection Officers (“DPO’s”). Abacus has engaged a dedicated Data Protection Officer. Abacus already has in place a Chief Information Officer and dedicated data security team responsible for data infrastructure and security.
12. International Compliance. Abacus has identified the UK’s Information Commissioner’s Office as its lead supervisory authority.
We are working with our lawyers and our DPO on creating a vendor questionnaire to determine whether or not each vendor is in compliance, or is working toward compliance, with the GDPR. We are also working to update our vendor contracts so that, where appropriate, our vendors are contractually bound to comply with the GDPR.
PRIVACY SHIELD & DATA TRANSFER
To comply with EU data protection laws around international data transfer mechanisms, we will become self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
Transparency is important to us. We will keep you updated as we continue to fulfill our privacy and security commitments. This page will be revised to include new GDPR-related information as it becomes available. If you have any questions about how Abacus will comply with the GDPR, please feel free to email us at firstname.lastname@example.org