General Data Protection Regulation May 2018.
The GDPR is the largest change in data protection law since the introduction of the EU Data Protection Initiative in 1995. The aims of the GDPR are simple; improve the security and protection of personal data. The new regulations replace the previous Data Protection Directive and ExpenseIn welcomes this change. Protecting our customer’s data is of the utmost importance to us and we confirm that when the changes come into effect May 25th 2018 ExpenseIn will be compliant with the new legislation and all laws relating to it.
The GDPR will bring a number of significant changes to the current Data Protection Initiative including but not limited to increased territorial scope, strict penalties for failing to meet GDPR requirements and the strengthening of the conditions for consent. In addition, the rights of data subjects have been substantially improved and as a result now have the right to access data, request data be removed and that they be notified within 72 hours of a known data breach.
Chaired by our Data Protection Officer, ExpenseIn has setup a GDPR committee to monitor and assess the full impact of the GDPR as well as ensuring full compliance with the upcoming GDPR regulations.
ExpenseIn is performing an updated privacy impact assessment to identify the most effective way to meet GDPR compliance and ensure full transparency with all of our customers.
ExpenseIn is undertaking a review of all internal policies as well as supplier and customer contracts to ensure GDPR compliance is maintained throughout.
Over the coming months we will be adding a number of enhanced security features including multi-factor authentication (MFA), transparent device management and increased password control.
ExpenseIn only engages with suppliers who share our commitment to security and data protection. By working with leading providers such as Amazon AWS and SagePay we ensure that our entire service meets the levels demanded by both the GDPR and our customers.
It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
Companies can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of privacy by design concepts.
Any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
No, the GDPR does not require personal data to stay in the EU however, all companies processing EU personal data, whether inside or outside the EU, must comply with the GDPR.
We recommend taking a look at the guide produced by the Information Commissioner's Office which details a host of useful and detailed information on the GDPR.
If you would like to speak to a member of our team regarding our committment to security and data protection please contact us and we will be happy to discuss this with you.