Table of Contents
DISCLAIMER: This white paper is an informative commentary on the GDPR, as interpreted by Replicon in accordance with how Replicon’s operations and business are conducted. This white paper is neither intended to nor should be relied upon as legal advice or used to determine applicability/coverage of GDPR to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance.
The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. Companies that are already in compliance with the Directive must ensure that they’re compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
Recent statistics reveal:
Businesses must ensure they are in compliance with these requirements before May 25, 2018:
Requiring the consent of subjects for data processing
Anonymizing collected data to protect privacy
Providing data breach notifications
Safely handling the transfer of data across borders
Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
What Does The GDPR Regulate?
The GDPR regulates the processing of data subjects’ personal data by data controllers and processors.
Processing is any operation which is performed on personal data and essentially includes anything you can do with or to data, such as accessing, collecting, storing, analysing, transferring or deleting.
Data subjects are any identified or identifiable natural, living persons. A data subject cannot be a deceased person or a legal entity (such as a corporation).
Personal data is any information which relates to a data subject. The GDPR definition of personal data is broad and includes not only data which we would typically consider to be personal (such as name, contact details and date of birth) but also less obvious data like IP address, online identifiers and device IDs.
The GDPR gives certain categories of personal data (so-called “special categories of personal data”) additional protection. Such data includes any information revealing an individual’s race, ethnic origin, religion, political opinions, philosophical beliefs, trade union membership and sexual orientation/life as well as any health, genetic or biometric information. The GDPR also has special rules for data relating to criminal convictions or offenses and the processing of children’s personal data.
Data controllers are businesses or organizations which determine the purposes and means of the processing of personal data.
Data processors are businesses or organizations that process personal data on behalf of, and as directed by, data controllers. For example, when a data controller outsources a data processing function to another entity, that other entity is generally a data processor.
Replicon’s Journey To GDPR Compliance
Replicon strives to foster customer partnerships based on mutual trust and respect. As a company that helps keep millions of business compliant with labour laws across the globe, we aim to stay ahead of the curve ourselves with GDPR compliance. We highly value the privacy and security of customer data, and have proactively undertaken a robust compliance audit and project to prepare for the 25 May 2018 start date. Replicon takes compliance seriously, and we look forward to partnering with our customers so that we can each meet our responsibilities under the GDPR.
Replicon already operates in a way that is consistent with the GDPR framework and goals, and our security practices comply with much of the widely accepted standards and regulations.
To ensure full compliance, our Product, Legal and Security teams are evaluating all practices and procedures and taking the necessary steps to comply with new regulations.
“Maintaining stringent privacy, security, and protection of customer data is of the utmost importance to the Replicon team,” says Suresh Kuppahally, Replicon Executive Vice President, Engineering & Operations. “It’s critical that our customers are both confident in the protection of their data, and ultimately have a clear understanding of and control over how their data is used. The ultimate goal of our GDPR-compliance is to keep our customers secure, happy, and in control of their data.”
Sign your DPA
We want to enable our customers in formalizing and sharing that they use Replicon is a GDPR-compliant manner easily with their key stakeholders. Customers can download a pre-signed DPA (Data Processing Addendum) from Replicon add their signature to ratify the document.
On signing it, please email it to GDPR@replicon.com and if accurately completed, we will notify you and it will become legally binding. We will reach out to you incase of any issues.
Frequently Asked Questions
The GDPR will officially be enforced from May 25th 2018. Organizations which are not compliant by this date may be subject to fines and other regulatory sanctions.
Yes. Replicon will be subject to the GDPR because:
– We are established in the European Union (by virtue of our UK office)
– We offer our products to customers based in the European Union
– Our processing involves the monitoring of EU data subjects (on behalf of our customers)
Replicon provides a Time Intelligence® platform that enables our customers to collect, harness and use processed time data in order to pay their employees or bill their customers (or both). Inevitably, in the course of providing these services, Replicon processes personal data about our customers and our customers’ employees and/or customers.
For example, when our customers provide us with information about employee time off, we process personal data such as name, location, email address and contact information on behalf of our customers. When our customers provide us with information about employee attendance we process biometric data (a “special category” of personal data) on behalf of our customers.
Replicon also collects certain online digital information automatically through our website and products. This information includes personal data (within the meaning of the definition above) such as IP addresses and cookies data.
Replicon also processes personal data of its employees, customers and suppliers as a controller. For instance, Replicon processes customer contact information for customer relationship and account management and to conduct direct marketing.
Replicon uses appropriate technical and organisational security measures to protect customer data (these measures differ according to whether the data is hosted on the Gen 2 or Gen 3 platform). Replicon is also continually reviewing its safety measures for enhancements, including as part of its GDPR compliance program, and is currently working toward SOC and ISO 27001 certification.
It’s critical that our customers are both confident in the protection of their data, and ultimately have a clear understanding of and control over how their data is used.
Executive Vice President, Engineering
& Operations, Replicon
No. The GDPR comes into effect before the UK officially leaves the European Union, which the UK government has 1 announced will take place on March, 29th 2019. Once the UK leaves the EU, the GDPR itself will no longer form part of UK law (subject to any transition period agreed between the UK and the EU). However, Replicon will still need to ensure compliance with the GDPR by virtue of our offering products to customers based in the European Union and monitoring the behaviour of EU data subjects (as explained above).
Replicon puts great emphasis on privacy and security of customer data and we have embarked on a robust compliance project to become GDPR-ready by the time the GDPR enters into force. Specific measures Replicon is undertaking include:
Undertaking a data mapping exercise for the purpose of creating the necessary data processing records required by Article 30 of the GDPR
Reviewing and updating its standard customer terms to incorporate the mandatory data processor terms required by Article 28 of the GDPR
Reviewing and, where necessary, updating any arrangements it has with third party sub-processors to ensure that all such sub-processor arrangements comply with the GDPR
If you have any questions about the GDPR or require assistance please contact GDPR@replicon.com