General Data Protection Regulation
The GDPR is the largest change in data protection law since the introduction of the EU Data Protection Initiative in 1995. The aims of the GDPR are simple; improve the security and protection of personal data. The new regulations replace the previous Data Protection Directive and ExpenseIn welcomes this change. Protecting our customer’s data is of the utmost importance to us and ensuring our compliance with the GDPR has been our number one priority.
The GDPR brings a number of significant changes to the previous Data Protection Initiative including, but not limited to, increased territorial scope, stricter penalties for failing to meet the requirements and stronger conditions for consent. In addition, the rights of data subjects have been substantially improved and as a result now have the right to access data, request data be removed and that they be notified within 72 hours of a known data breach.
Chaired by our Data Protection Officer, ExpenseIn has setup a GDPR committee to monitor and assess our ongoing compliance with the GDPR.
We have undertaken a review of all our internal policies and processes as well as supplier and customer contracts to ensure GDPR compliance is maintained throughout.
We have added a number of enhanced security features including two-step authentication, increased system notifications and auditing, and improved password controls.
We have invested in a dedicated training program to ensure that all of our employees have an in-depth understanding of the GDPR and information security best practices.
From our employees to our customers, we have carried out a full data audit in addition to implementing a formal data retention process.
ExpenseIn only engages with suppliers who share our commitment to security and data protection. By working with leading providers such as Amazon AWS and SagePay we ensure that our entire service meets the levels demanded by both the GDPR and our customers.
The GDPR was approved and adopted by the EU Parliament in April 2016 and officially came into force 25th May 2018. Leading up to the deadline, companies inside and outside of the EU have been preparing for the new data regulation.
Companies can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of privacy by design concepts.
It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
No, the GDPR does not require personal data to stay in the EU however, all companies processing EU personal data, whether inside or outside the EU, must comply with the GDPR.
We recommend taking a look at the guide produced by the Information Commissioner's Office which details a host of useful and detailed information on the GDPR.
If you would like to speak to a member of our team regarding our committment to security and data protection please contact us and we will be happy to discuss this with you.