Statement of GDPR Compliance
What to expect and how to best prepare for the EU General Data Protection Regulation.
As of May 25, 2018, the European Union (EU) will begin enforcing its General Data Protection Regulation (GDPR) framework. Companies that don’t comply with GDPR could face fines of up to 4% of annual global turnover or €20 Million.
At Spectrum, trust is one of our core values. As such, we take the security, privacy, and integrity of your user's data very seriously. Under EU guidelines, our intelligent Community Health Management platform is classified as a data processor. We've diligently prepared for the implementation of GDPR and protection of user data by working with industry experts, consultants, and corporate law firms to ensure we and our customers are ready for GDPR.
GDPR was established by the EU to provide users more control over their data and online privacy. GDPR will replace the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, protect and empower EU citizens, and reshape how global organizations approach data privacy. GDPR applies to all companies that collect EU citizen data, regardless of whether they're physically present in the EU. The regulation is designed to increase accountability for both data controllers (companies that collect personal data) and data processors (companies like Spectrum that process personal data).
Per the GDPR framework, personal data refers to:
...any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR is a new and complex piece of legislation: it has many moving parts. As such, some sections are up for interpretation. However, the fundamental intent of the regulation is clear: companies must work to minimize data utilization (where applicable), increase transparency, and adhere to strict security and privacy standards.
Important GDPR Requirements
The main GDPR requirements for transparency include the following:
- Breach Notification. If a data breach occurs, and is likely to "result in a risk to the rights and freedoms of individuals," Spectrum will notify its data controllers (our clients) without undue delay, as required by GDPR.
- Right to be Forgotten. Also known as "Right to Erasure," data subjects can request their personal data be erased. However, exceptions do exist, as data controllers have the right to compare said subjects’ rights to erasure with “the public interest in the availability of the data.” In this situation, we highly recommend you consult your legal team to determine how they define “public interest." In the event Spectrum receives a users’ Right to be Forgotten request, we will assist the controller in complying with that request.
- Right to Access. Data subjects can request confirmation as to whether their data is being processed, in addition to where and for what purpose(s). Data controllers are expected to provide said subject an electronic copy of his/her personal data, at no expense to the user.
- Data Portability. Data subjects have the right to request and receive their personal data, that they've provided to data controllers, in a structured, commonly used, and machine readable format. Data subjects can also request controllers transmit this data directly to other controllers.
Are Spectrum and its offerings GDPR compliant?
Spectrum Labs, Inc. has implemented, and continues to develop, new processes and improved technologies to address the aforementioned statutes, in addition to other GDPR criteria. We are committed to GDPR compliance and continuously strive to fulfill the data and privacy requirements contained within the EU's General Data Protection Regulation (GDPR).
Please Note: We are not GDPR specialists and can't offer legal advice. If you have questions about GDPR, we strongly recommend you contact, and work with, your own experts, lawyers, consultants, Et Al. for advice relating to your unique situation.
The entire GDPR legislation can be viewed here.