Strikersoft’s Commitment to GDPR
What is GDPR?
The GDPR (General Data Protection Regulation (EU) 2016/679) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.
Strikersoft is fully committed to achieving compliance with the GDPR.
What is Strikersoft doing regarding GDPR?
We began to dedicate internal resources to the GDPR during the autumn 2017. We did this because we value our customers' and partners' (and their customers' and partners') rights to privacy, and because compliance with and to international law and regulations is very important to us.
Our GDPR Roadmap
Here is a condensed version of our GDPR Roadmap and where we are on our journey:
- Thoroughly research the areas of our product and our business impacted by GDPR - COMPLETE
- Appoint a Data Protection Officer - COMPLETE
- Rewrite our Data Protection Agreements with customers – COMPLETE
- Rewrite our Data Protection Agreements with partners and subcontractors – COMPLETE
- Secure GDPR compliance for Transfer to Third country in line with Recital 101 and 108 – COMPLETE
- Conduct Security Awareness training with GDPR for all Swedish staff – COMPLETE
- Develop a strategy and requirements for how to address the areas of our product impacted by GDPR - COMPLETE
- Perform the necessary changes/improvements to our products and tools based on the requirements:
- SwipeCare - COMPLETE
- SwipeRead - COMPLETE
- SwipeStep/ORDO - COMPLETE
- Automatic include unsubscribe option in each Strikersoft newsletters and marketing email – COMPLETE
- Strikersoft.com website optin - COMPLETE
- Nextcloud - IN PROGRESS
- JIRA – IN PROGRESS
- Implement the required changes to our internal processes, agreements and procedures required to achieve and maintain compliance with GDPR - IN PROGRESS
- Thoroughly test all our changes to verify and validate compliance with GDPR - IN PROGRESS
(being done incrementally as changes are completed)
- Finalize and communicate our full compliance - TO BE ANNOUNCED
(this will be done on our webpage when all work is completed)
What overall changes are Strikersoft making to be GDPR Compliant?
We are taking many steps across the entire company to ensure we will be ready for the GDPR. We are improving anonymity within our products and delivered services, we stick to data encryption for data in rest, dynamic data encryption for data in motion and data depersonalization for specific categories of data and making changes to allow you to tailor how you give consent.
Based on the research conducted by both our inside and outside counsels we are confident these changes will address the requirements of GDPR.
What do Strikersofts’ Customers need to do?
There are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Strikersofts’ services or products:
- If you are in the European Union you’ll likely want to sign a Data Processor Agreement with Strikersoft. We’re happy to do so. Working with outside counsels we’ve updated this document to comply with GDPR, the Swedish Patientdatalagen (Patient data act) and other generally acceptable privacy laws.
- You can review a copy of the Annex Data Processing Agreement here. You can fill in your specifics for review by our account responsible. We will then countersign it and provide you with a downloadable copy via email as soon as possible. If you have any questions about its contents simply email GDPR@strikersoft.com.
What is GDPR?
The General Data Protection Act (GDPR) is considered the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive as well as PUL in Sweden. It will also impact the Swedish Patient Data Law.
The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
GDPR and PDL
The regulation also contains general rules on when personal data processing may take place in healthcare. It can be mentioned in the context that it is investigated to what extent the rules in the Patient Data Legislation (PDL) need to be adapted to the GDPR's rules. PDL is applied as per the care provider's processing of personal data. Note, however, that PDL contains only specific rules and explanations deemed necessary.
At the end of August 2018, the above-mentioned investigation will be presented. Read more about the investigation at the Swedish governments’ website.
In summary, here are some of the key changes to come into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
- Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
Outside of EU
If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.
If you have any questions, please don't hesitate to contact us at GDPR@strikersoft.com.
Sara Bern, DPO (Data Protection Officer / Dataskyddsombud)