In 2015, the EU launched the new “General Data Privacy Regulation”. This enters into force from May 25, 2018 and every company operating in one or more of the 28 EU member countries must abide by this regulation. As such, this will have a big impact on how companies handle of personal data.
Vanderbilt operates in a majority of EU’s 28 countries and processes all data in private and public cloud suppliers in the EU and USA. Therefore, the GDPR compliance is an important issue.
Data protection concept
Since the beginning of 2017, Vanderbilt has initiated several activities to comply with this new adjustment. As the EU regulation highly depends on the old German Data Protection regulation, Vanderbilt enlarged their already existing protection processes in Germany, and began to roll these out to offices in other European countries.
Vanderbilt assigned a Data Protection Officer on July 1, 2017. Until May 2018, to primarily develop and implement a data protection concept. This includes obtaining general agreements with all external suppliers to obligate them to store the relevant data and to operate according to the GDPR. Part of Vanderbilt’s agreement with suppliers is to get a list of third countries that might store data. Mostly, using the Vanderbilt’s GDPR compliant agreement for the commissioned data processing. If a supplier proposes their own agreement, Vanderbilt carefully checks the content to ensure that all GDPR requirements are reflected.
In the last broad cyberattack, Wannacry, Vanderbilt and selected providers could not report any violation of data usage
A special area of focus is Software-as-a-Service products such as Vanderbilt’s ACT365 and SPC Connect. These solutions must also comply with the new regulation. As Vanderbilt operate and store personal data from customers, the company emphasises on the security and encryption of the processed data, the storage time of data, and the design of the privacy and data protection.
The actual GDPR will not be the final version as there are further needs yet to be addressed. For instance, the new obligation to inform the authorities about data privacy or security violations is on the right track, but it is not clear when an incident must be reported. Companies still have different interpretations of what is a serious or harmless incident.
To summarise, Vanderbilt are certainly on the right track but still have more to do. However, in the last broad cyberattack, Wannacry, Vanderbilt and selected providers could not report any violation of data usage.