GDPR
What is GDPR (General Data Protection Regulation)?
The General Data Protection Regulation (GDPR) is a European regulation that provides rules for preserving the privacy of personal data for all European Union (EU) citizens, employees, and customers.
"Personal data" means any information relating to an identified or identifiable natural person (a data subject). An identifiable natural person is one who can be identified, directly or indirectly, by
- a name
- an identification number
- location data
- an online identifier
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
As of 25 May 2018, all organizations that process or control personal information on EU citizens must follow these privacy regulations. The regulation applies to:
- organizations that have main or branch offices in the EU
- organizations that sell to persons residing in the EU
Organizations found to be out of compliance with GDPR regulations face warnings, reprimands, compliance orders, and potentially significant fines from the supervisory authorities.
Provisions of GDPR
In summary, the GDPR contains the following provisions.
- Purpose-specific and transparent processing. All personal data should be processed for a legitimate purpose and only for that purpose. Organizations must be transparent about what personal data they collect.
- Data minimization. Organizations must collect only the data necessary for the given legitimate purpose and delete the data once that purpose is fulfilled.
- Data subject rights. A person whose personal data is collected – a "data subject" – can request what personal information an organization has about them and what the organization uses the data for. Persons can request organizations correct errors in their data. Persons can also withdraw their consent for the organization to use the data and stop processing based on it. Persons can also ask for their personal data to be deleted.
- Consent. Should an organization wish to expand the use of a person's data beyond the original legitimate purpose for which it was collected, the organization must get clear and explicit consent from that person.
- Personal data breaches. Organizations must maintain a Personal Data Breach Register, and inform local authorities of significant breaches within 72 hours of identifying the breach.
- Privacy by design. New systems and processes should incorporate organizational and technical mechanisms to protect personal data privacy, with these privacy protections implemented as the default. Should an organization consider a significant change to an existing system, the organization could conduct a Data Protection Impact Assessment to ensure the change adheres to the GDPR principles.
- Data protection officer. Should an organization perform a significant amount of processing on personal data, the organization must assign a Data Protection Officer who manages the company's compliance to GDPR. This officer should conduct awareness and training programs to ensure fellow employees remain aware of their responsibilities with respect to the protection of personal data.
Archibus Features Supporting GDPR
Many organizations integrate Archibus into their GDPR compliance program. Archibus contains a significant amount of information on how individual people interact with their buildings and their resources. Archibus's central control makes audits, queries, and updates of personal information straightforward. Archibus also integrates with centralized identity management and other programs in your ERP suite so that you can flow personal information changes and deletions to Archibus automatically.
- Data Security. Archibus includes both user-interface and data-level protection to allow organizations to grant access only to specific types of information, such as personal information, if that access is required for their function. This data protection goes down to a table and field level of granularity.
- Enterprise Information Model. The Archibus Enterprise Information Model keeps all data in sync. With Archibus you can change personal information – such as employee, vendor, contacts and service provider information – in one place, and the Archibus Enterprise Information Model will cascade that change to the hundreds of related tables, data references, and index structures.
- Meta-data Dictionary. All Archibus data is controlled by an over-arching meta-data dictionary, in which you can instantly search for types of data and all references to it. Even if your organization has personalized or extended the Archibus data model, you can quickly find all elements that hold personal information. See GDPR Fields in the Archibus Schema.
- Centralized Identity Management. Archibus provides Archibus Connectors, which integrate Archibus into the information flows of your enterprise. For instance, some organizations centralize updates and deletion requests for personal identity. The Archibus Connectors let you flow these updates and deletions automatically to Archibus. Your own deployment staff, you Archibus Business Partner or Archibus Professional Services can help you configure the Archibus Connectors to conform to your organization's GDPR compliance plan. See Automate GDPR Data Updates Using Connectors.
- Accessible Personal Information. In addition to providing the GDPRScheduledRemoval scheduled workflow rule, Archibus provides forms available from the user interface to access and change personal information. Your organization can use these forms to:
- respond to a person's inquiry as to the information that the organization tracks
- update information a person reports is inaccurate
- delete information from a person exercising their "right to be forgotten," so long as this right does not conflict with the organization's legal obligations for data retention.
See
References
GDPR Full Text – https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679