What is the GDPR?
GDPR stands for the General Data Protection Regulation. GDPR came into effect on 25th May 2018 as the new European Union Regulation, replacing the Data Protection Directive (DPD) and The UK Data Protection Act 1998. After many years of debate it was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals. Its main aim is to ease the flow of personal data and increase privacy and rights for EU residents across all member states.
Who does GDPR apply to and what does it regulate?
The GDPR applies to any organization which processes and holds the personal data of EU citizens and obligates the to abide by the laws set out by GDPR. This applies to every organization, regardless of whether or not they themselves reside in one of the 28 EU member states. The GDPR aims to regulate how companies “process” personal data, that is, how companies use, store, collect and transfer the data when providing products and/or services to an individual and/or monitoring their behavior.
What responsibilities do organizations have under the GDPR?
Under the GDPR, organizations have to meet several data protection principles whenever they process personal data - including ensuring that their use of personal data is lawful, fair and transparent. Those who do collect personal data are obliged to protect it from misuse and exploitation.
If a data breach does occur, organizations are required under the GDPR to report certain types of breaches to the relevant authorities within a certain amount of time as they becoming aware of it.
What is personal data?
Considering technological advancements, the concept of “personal data” has been significantly amended under the GDPR. Whie it still covers any information relating to an identified or identifiable individual (also called a “data subject”), the definition now includes things such as online identifiers, genetic data and location data etc.
Does EU personal data have to stay in the EU?
The GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. ServiceMax maintains a data processing addendum which references European Commission’s model clauses. We will continue to help our customers transfer EU personal data outside of the European Economic Area (EEA).
What are some elements of GDPR that one should be aware of?
The GDPR provides greater rights to individuals in the EU and significantly increases the obligations on organizations. Some key elements are:
I would like to find out more about GDPR, where shall I go?
Rights: The GDPR provides expanded rights for individuals in the EU such as restriction, deletion, and portability of personal data.
Profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of individuals in the EU.
Accountability: The GDPR requires organizations to implement appropriate policies, identify where personal data resides, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with suppliers.
Security: The GDPR requires organizations to implement technical and organizational controls to secure personal data considering both the cost and nature of technology, including measures such as tokenization and anonymization/de-identification.
Data breach notification: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects.
Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Several fines have already been levied against large organizations.
Central Data Protection Authority: The GDPR introduces the concept of a lead supervisory authority to allow organizations operating in many EU countries to work with one data protection authority rather than many for matter such as cross-border data protection issues and enforcement.
More information about the GDPR can be found by visiting the official EU GDPR website.
The Steps That ServiceMax is Taking
ServiceMax understands that complying with the spirit of the GDPR is a serious responsibility that helps build and retain customer Trust. We further understand that significant time and effort has been spent by our customers and prospects to comply with GDPR themselves. Therefore, Compliance with the GDPR requires a partnership between ServiceMax, our suppliers in providing services to support our business, and our customers in their use of our services.
ServiceMax Commitment to Data Protection
ServiceMax is committed to helping our customers attain and maintain GDPR compliance. Since compliance with the GDPR is not a one-time effort, ServiceMax works continuously year-round to ensure adherence to the regulation. Our concept of Security and Privacy by Design is at the core of each product we build. Our commitment is further solidified by reflecting at which technology partners we have chosen to deliver our products and services. Please visit the following to read more about our cloud service providers’ GDPR commitment, and rest assured that ServiceMax continuously monitors and evaluates its service providers compliance with the GDPR:
Amazon Web Services (AWS) Commitment to the GDPR
SalesForce Commitment to the GDPR
At ServiceMax, our commitment to respecting the privacy of our customers go beyond the GDPR. We fully understand that countries, regions of the world and States within the US are introducing more legislation to ensure the privacy of their citizens are respected. As such, ServiceMax continues to embrace the principles of Security by Design and Privacy by Design.
Since ServiceMax takes the protection of our customers’ data very seriously we encourage you to read our approach to Product Security, which describes ServiceMax’s approach to building secure and resilient products with privacy in mind. And, furthermore, how our approach aligns with industry standards by reviewing our Certifications and Attestations.