Is my organization affected by GDPR?
Any organization that stores or processes the data of EU (European Union) residents is subject to GDPR. If you have customers, exhibitors, registrants, speakers, vendors, etc. who reside in the EU, you will be subject to the GDPR regulations.
Does GDPR require EU data to stay in the EU?
No. GDPR does not require the personal data of European Union (EU) residents to stay in the EU nor does it place any new restrictions on transfer of personal data outside of the EU.
What is Momentus Enterprise Software doing to help my organization be compliant with GDPR?
GDPR encompasses all aspects of data collection, storage, processing, and disposal. While Momentus Enterprise Software does not claim to be GDPR experts or even legal or tax experts, we can assist you in implementing our software so your processes are GDPR-compliant. Our software and consultants can help you find paths to ensure that your new processes can be implemented in an effective manner.
The Momentus Enterprise Software application itself will provide features and functionality to address the GDPR requirements covering all GDPR-aspects of data handling. Requirements around policies and processes would remain the responsibility of each organization as well as the proper configuration of the application.
What version of the Momentus Enterprise Software application will be GDPR-compliant?
Software applications themselves are not GDPR-compliant. Instead, the question is really when will applications provide features and functionality to make it easy for organizations to be GDPR-compliant. For the Momentus Enterprise Software application, version 20.93 and subsequent service releases to that version will contain necessary features that will allow your organization to implement GDPR workflows and processes.
It is strongly recommended that you upgrade to version 20.92 in the interim so the upgrade to version 20.93 has as minimal an impact to your organization as possible. Staying current is the best way to ensure that your organization has the latest security and compliance changes as well as additional enhancements to improve your organization’s workflows.
What type of data does GDPR cover?
GDPR is intended to protect personal data of individuals. Personal data is typically defined as
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person”
This information can be anything from a name, photo, email address, medical information, computer IP address, etc.
How does GDPR protect an individual’s data?
GDPR protects data through ensuring explicit consent from an individual to collect, store and process his/her information. GDPR also clarifies the “right to forget” which empowers individuals to request the deletion and/or anonymization of his/her data from an organization and have that request fulfilled.
How will the Momentus Enterprise Software application handle “explicit and unambiguous” consent?
The Momentus Enterprise Software application will allow our customers to create preferences (consent items) within all public-facing applications. These preferences can then be used to get consent for various workflows and processes within your organization. Preferences can then be tracked and viewed within the Backoffice area of the application.
How does being in the Momentus Enterprise Cloud help our organization meet GDPR requirements?
Meeting the regulations of GDPR can require significant investments in time, effort, cost and expertise. Customers who are in the Momentus Enterprise Cloud upgrade more quickly and can take advantage of the latest improvements in Momentus Enterprise Software in a more timely manner. The Momentus Enterprise Cloud also provides a safe environment to manage and process your data, and accommodate efforts required to keep pace with changing policies.
How will the “Right to Forget” be fulfilled in the Momentus Enterprise Software application?
A portal is being provided that will allow an individual to request removal of his/her data while the Momentus Enterprise Software application will have a Backoffice process to perform that removal. Removal consists of deleting an individual’s data when possible and anonymizing all other data for that individual. Because of referential integrity within the Momentus Enterprise database, certain records cannot be deleted. Instead, the record will remain in the database but will be anonymized so the individual associated with that record cannot be identified. In some cases, individuals cannot be deleted or anonymized because of business reasons (i.e. open invoices, contracts, etc.). The request to remove will still be logged but the application will not allow removal and will provide the Backoffice user with the reasons for denial.
How does “Right to Forget” apply to data backups?
If an individual requests removal from your database, how should that removal request be handled regarding database backups where that individual’s personal data may reside? This question has been debated many times especially as the GDPR date draws near. To be clear, there is no specific direction within GDPR regarding data backups, so any advice given on this should be taken as opinion and not fact. Hopefully, more direction will be provided once a certification program is developed.
One school of thought is that data backups are not within the scope of GDPR. In Article 4, Definitions, there is an explanation of the term 'processing'. By that definition, backed up data is not processed and therefore does not fall under the scope of GDPR:
“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
Is this enough to consider data backups out-of-scope for GDPR? There are mixed opinions on this, of course. In the end you will need to decide what is best for your organization.
So, if data backups are within the scope of GDPR, do we need to remove an individual‘s data from all backups every time they request it? Implementing procedures and processes to address this would certainly take its toll on any organization. Because of that, another school of thought on GDPR & data backups is to let the natural turnover of backups address the data removal aspect. This means if you cycle your data backups every 30 days, every 6 months, or annually, this would become part of your removal policy. If a request for removal comes in, your policy would state that removal from the current system is immediate (or close to) while removal from any data backups will occur within 6 months or whatever your turnover time is. What about needing to remove an individual’s data upon request? Due to the hardship that a GDPR removal process on data backups might be, the “reasonable” qualifier used throughout the GDPR law could be used:
“…taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures…"
This means that it is a reasonable step to remove personal data from backups over a longer period of time as long as the personal data is removed from the current database upon request.
How does “Right to Forget” apply to tax laws?
Many tax laws require information supporting tax payments to be kept for up to 7 years. What should happen if an individual you’ve done business with in the past requests his/her information to be removed? With GDPR, local laws should take precedence so make sure you consult with your tax attorney or other tax expert. The most important thing to keep in mind is to incorporate your handling of personal data into your policies. If you are required by law or have a business need to retain personal data for 7 years, then make sure that is part of your policy.
Comments
0 comments
Article is closed for comments.