GDPR, the General Data Protection Regulation, is a much discussed issue at the moment. Not because it is a new European regulation, it has been effective for two years, but because the Data Protection Authority start enforcing this regulation as of May 25. How has Cygnific prepared for it, being the organisation that daily processes customer information of KLM, Air France, Delta Airlines, Air Miles and Hudson’s Bay?
Precisely because of that daily process, our digital infrastructure was fully designed to protect those data from the start, otherwise known as privacy by design in GDPR terms. However, the new GDPR puts even more focus on data security. Although Cygnific does not process sensitive personal data such as race, religion and sexual orientation, we do use personal data, such as name, address and bank account number. Despite the fact that our clients are the owner of the data, it is our responsibility to process it safely.
Data security check
To make sure all back doors are locked, we have our system tested twice a year via a so called penetration test. We basically tell the testers: ‘try us, see how far you get’. To be ready for GDPR, we asked an external party to check our data processing to see to which extent we are compliant with the regulation. The outcome showed that Cygnific is virtually compliant, but that certain things could be improved.
Compliant today is not necessarily compliant tomorrow
Sitting back and relax once you are compliant is fooling yourself. The world continues to change constantly, so we have to keep checking our systems. In order to stay GDPR compliant, we set up processing records, in which all our data processing is recorded to always be able to show what happens with our data.
Our advice: do not panic
If you have not started yet to make your company GDPR compliant, there is no need to panic. Don’t hesitate and directly start setting up a project team or programme that will lead to compliance with the regulation. Study the regulation carefully, have a close look at your business processes and select an external party to manage this, if necessary.