What is the GDPR?
The GDPR or General Data Protection Regulation has been in the works for a long time and was drawn up by the European Union. It strengthens the data rights of EU residents and harmonizes data protection law across all member states. The GDPR replaces the EU Data Protection Directive (aka Directive 95/46/EC), a EU directive that had been in place regarding data protection since 1995.
The GDPR comes into force from 25 May 2018.
So who does the GDPR apply to?
In short, GDPR applies to almost every organisation. If your organizaton control or process personal data relating to EU residents - whether they're customers or your own staff and whether they are based in EU or outside - you will have to do so in a way that complies with GDPR.
Depending on your role in collecting or processing that data, the regulation will view you as either a data controller or a data processor.
What are data controllers and data processors?
A data controller defines the terms (how and why) of data processing, but does not necessarily carry out these activities themselves. That means they might contract a third party to collect and process data
A data processor is the third party that performs the actual data collection and data processing. It's the controller's job to make sure the processor complies with data protection law, while processors must maintain records of their processing activities to prove they abide by rules. If a processor breaches GDPR, it must notify its controller immediately, and the controller will still be liable for financial penalties if their processor breaches the rules.
Is eMudhra GDPR ready? What do I need to do to do about GDPR if I am using eMudhra’s platforms?
eMudhra is GDPR ready. If your company determines that you are subject to the GDPR and you do not yet have in place an updated data processing addendum (DPA) with us, please review and complete the instructions on our DPA.
What steps has eMudhra taken to make sure its platform is able to enable its customers to comply with the GDPR?
As part of our GDPR compliance, we try and minimize the personal information that we collect from you. Our systems are designed in such a way that personal data never leaves the environment we manage or control. Moreover, personal data across our systems is treated with utmost sensitivity and only those individuals that are authorized and need to have access are provided access.
There are several improvements that have been done to our platforms to prepare for GDPR. These include
- Use of encryption or hashing techniques wherever possible to store personal data
- Splitting user records in such a way that easy identification of a particular individual is not possible
- Putting in place systems to be able to process data subject requests in a timely manner
eMudhra is an ISO 27001 and CMMI Level 3 certified company both of which are internationally recognized industry standard accreditations which cover information security and software development best practices.
Does eMudhra assist its customers with Data Subject Requests?
Yes. eMudhra may already have inbuilt features within its platforms that can help you satisfy a data subject request. For other data subject requests, you may write to firstname.lastname@example.org.
If we determine that a data subject request we receive directly relates to data about your users or the individual has let us know that they believe you hold data about them, we will attempt to notify you prior to responding to such request. Please contact us at email@example.com with any questions.