We’re committed to partnering with our customers and users to help them understand and prepare for the General Data Protection Regulation (GDPR). The GDPR is the most comprehensive EU data privacy law in decades and will go into effect on May 25, 2018.
Besides strengthening and standardizing user data privacy across the EU nations, the GDPR will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods and plans to achieve GDPR compliance, both for ourselves and for our customers.
Organizations established in the EU and processing personal data of EU-based individuals will, in almost all cases, be required to comply with the GDPR by May 25, 2018. The GDPR updates and harmonizes the framework for processing personal data in the European Union, and brings with it new obligations for organizations and new rights for individuals. Many organizations, large and small, are now preparing for the new regulation. Here at Certify, Inc., we are committed to achieving GDPR compliance for the Certify, Nexonia, and Tallie brands.
Preparing for the GDPR
The GDPR’s updated requirements are significant. Here at Certify, Inc., we have partnered with TrustArc to assist in our compliance efforts. Measures to achieve this include:
- Assessing our current level of compliance, then identifying and prioritizing those tasks needed to update our privacy policies, procedures, and practices to achieve compliance.
- Conducting an inventory of customer and employee data flows, data sharing relationships, practices and procedures across the Certify, Nexonia and Tallie products. This will result in the creation of a DataInventory which we will maintain.
- Making sure we have the appropriate contractual terms in place.
- Ensuring we can continue to support international data transfers by maintaining our Privacy Shield certifications, and by executing Standard Contractual Clauses through our updated Data Protection Addendum.
In addition to these specific objectives, we’ll also continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies, and will adjust our plans accordingly if it changes.
What is a Data Protection Addendum (“DPA”)?
Certify, Inc. will be offering customers and prospects a robust Data Protection Addendum (“DPA”), which governs the relationship between the customer (acting as a data controller) and Certify, Inc. (acting as a data processor). The DPA facilitates our customers’ compliance with their obligations under EU data protection law. Our DPA is a key requirement for compliance with the GDPR. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Certify, Nexonia and Tallie, which are systems that are hosted outside of the European Union. Such data transfers require the foundation of one of three mechanisms: our Binding Corporate Rules, our Privacy Shield Certification, or Standard Contractual Clauses.
Our Security Infrastructure and Certifications
Data Security: The Certify, Nexonia and Tallie products provide our customers’ compliance with high-security standards, such as strong encryption of data, auditing standards (PCI DSS, SOC 2, Privacy Shield), regular vulnerability scanning and penetration testing, and regular review of our security policies and procedures. We make security and compliance documents available to current customers and sales prospects through our own Mutual-NDA Security Documents Portal. The GDPR Data Processing Agreement will become available as a contract addendum, and our current plan is to require all customers and prospects to agree to our DPA. We may also offer a simple waiver that customers without EU relationships can sign instead of our DPA.
We are excited to deliver on GDPR requirements because we believe it is a large step forward for all customers and users, whether residing in the EU or elsewhere. As always, please feel free to contact your Account Manager or Support team with any questions or concerns you may have. Thank you for using our products and entrusting us with your employees’ data. Rest assured that we do not take that privilege lightly, and we will do everything in our power to continue to earn your trust!