- Introduction
The European Union’s (EU) General Data Protection Regulation (GDPR) will come into effect from May 25, 2018. The GDPR is wide-ranging in scope and takes a 21st century approach to data protection. This is because the GDPR gives EU residents greater control over what data is collected and how it is processed and places greater obligations on organisations to be more accountable for data protection.
Movolytics is well aware of its responsibilities and has put in place the right tools and processes to achieve GDPR compliance.
- Our Commitment
We take very seriously our responsibility to process employee tracking data in a safe and secure manner. We understand Data Controllers (our customers) trust us with their data and that’s how we want to keep things. We have thoroughly reviewed and updated our processes to achieve GDPR compliance across all our services, well in time before the regulation comes into effect. Here are some of the initiatives we have undertaken to ensure we are compliant with the GDPR:
Data Breach Response Plan: We have developed robust data breach detection, investigation and reporting procedures. We have identified and catalogued information assets that hold different levels of personal data and have put into place measures to minimise the risk of this data being breached. Our staff have been trained to identify both accidental and deliberate data breaches. We have put into place measures to minimise the risk of accidental data breaches.
Privacy by Design: When developing new products or upgrading existing products we use ‘Privacy by Design’ as our guiding principle. By adopting this approach to data security we have been able to embed privacy and data protection features into the very design of our products, rather than bolting them on as an afterthought.
Visibility and Transparency:
The GDPR states that data controllers are solely responsible for defining legitimate purpose(s) for collecting and processing data. However, we have developed a framework that our clients can use to verify whether they have established a lawful basis for collecting and processing data.
Data Privacy and Security Culture: Our Data Protection Officer (DPO) works closely with employees to promote continuous awareness of data security and privacy related issues. This is vital for maintaining continual compliance to the GDPR. We have put into place measures to check that suppliers up and down the value chain are compliant with the GDPR.
- What does this mean for our you?
A key part of the GDPR is to ensure data is collected, processed and used lawfully. We understand that as Data Controllers, you will be investing considerable time and effort in ensuring their organisations achieve GDPR compliance. As a data processor, we want to help you make your process as seamless as possible, so that you don’t have to worry about compliance and can focus more on running your business. Some of our product features that will make it easier for you to achieve compliance are:
Access Controls: Data Controllers can determine which users are permitted to access their data and their precise level of access, creating a username and initial computer-generated password which must be changed at first login. The customer can add or remove users, change access levels and determine other factors such as password strength and password duration.
Encryption: data created by our on-board telematics devices is transmitted in tiny GPRS packets across our private VPN network. All data sent is encrypted when sent from vehicle to our servers.
Data Collection and Processing: Our telematics devices only collect information in accordance with the instruction of the data controllers. Movolytics data and data processing takes place on our secure Amazon (AWS) Cloud servers, located in the EU.
If you are just getting started with GDPR compliance in your organization, here’s a quick checklist of things you need to do to:
Step 1: Establish an Accountability and Governance Framework
Assign a director with accountability for the GDPR.
Incorporate data protection risk into the corporate risk management and internal control framework.
Step 2: Conduct Data Inventory and Data Flow Audit
Assess the categories of data held, where it comes from and the lawful basis for your processing.
identify the risks in your data processing activities
Establish and Conduct Data Privacy Impact Assessment (DPIA)
Step 3: Gap Analysis
Audit your current compliance position against the requirements of the GDPR.
Identify compliance gaps requiring remediation.
Step 4: 3 Ps – Policies, Procedures and Processes
Create a record of personal data processing activities drawn from the data flow audit and gap analysis.
Bring data protection policies and privacy notices in line with the GDPR.
- Key Terms
Cloud Servers cloud server may also be called a virtual server hat is built, hosted and delivered through a cloud computing platform over the Internet
Data Controller
This is the Contracting Entity (fleet operator) entering into the contract with Movolytics and on whose instruction the Service is provided
GPRS
GPRS (General Packet Radio Service) is a packet-based wireless communication service that enables devices to send and receive data more rapidly.
VPN
VPN (virtual private network) is an arrangement whereby a secure private network is achieved using encryption over a public network, typically the Internet.
