Workplace Options’ Compliance with the European Union’s New General Data Protection Regulation (GDPR)
A Message to our Clients
On May 25th, 2018, a new law affecting European Union (EU) citizens’ data privacy came into effect. This regulation known as the General Data Protection Regulation (GDPR) will require compliance for all businesses that serve individuals from EU countries.
As a global provider of employee wellbeing services, Workplace Options’ executives, security professionals, and legal team have been hard at work enhancing our current policies and procedures to ensure completion and deployment of all changes.
On this page is some relevant information that explains our process for ensuring compliance and protecting the personal information of those we serve.
We have prepared a resource, which is available here, that contains a variety of information about GDPR and the related work that we have done.
If you have any concerns or questions about the GDPR or how Workplace Options has prepared for the changes, please feel free to contact us at firstname.lastname@example.org.
The European Union (EU) passed the current data privacy regulation known as GDPR (General Data Protection Regulation) on April 14th, 2016. GDPR replaces the Data Protection Directive 95/46/EC. The regulation is designed to protect and empower EU citizens’ data privacy anywhere they may be in the world, and to guide organizations in the protection of personal information.
GDPR widens the scope of personal information protection for EU citizens, and increases fines for organizations that are not compliant with the new regulation. Finally, GDPR enhances the rights of EU citizens to control the data that has been collected about them.
On May 25th, 2018, the GDPR came into effect and became enforceable.
Key Components of GDPR
The employee wellbeing industry needs to respond to this law to continue to serve clients throughout the EU. Growing data security, regulations, and rules ultimately mean enhanced client personal information security. The GDPR includes a set of rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
Here are some of the fundamental requirements of the new law:
- Individuals will have complete control over how they want or do not want their personal information being used.
- Individuals will have a new series of personal data rights to solidify that they are in control of their own information.
- Businesses will need to disclose a request verbally, through text, or by some form of electronic document for individuals to provide or deny permission of the business to handle their personal information in compliance with the new law.
- If a breach of personal information occurs, businesses will be required to report the breach within 72 hours or face a fine based on percentage of global revenue.
Workplace Options has always been committed to data privacy and confidentiality of our customers and end users. To demonstrate that commitment, in 2016, Workplace Options became ISO 27001:2013 certified. Early last year, Workplace Options embarked on a project to analyze its global business operations in relation to GDPR. This analysis has ensured that all of our processes provide the proper data controls and offer EU citizens the greatest level of comfort about the information we collect on their behalf.
Strengthening data privacy and security rules is an ongoing and active endeavor within our organization. Workplace Options, beginning in 2012, added unique design elements into its technology systems to allow them to adapt to a variety of anticipated changes and potential new requirements. With UCMS, our proprietary case management system, we have the ability to store member private information in the EU, or in any country, that has a similar local storage requirement.
Workplace Options has completed business operations flow documentation and analysis on each of our service centers globally. This self-analysis examines what information we collect about citizens, how we process that information, and where that information is stored. In order to ensure our compliance, Workplace Options has established a dedicated group of individuals whose members are from the security, legal, and executive teams, as well as each operational department head within the organization. This step is a key element of GDPR and a complex undertaking we perform to protect the personal information of those we serve.
Furthermore, Workplace Options has been proactive in maintaining required certifications. Workplace Options was certified under Safe Harbor, and is now certified under both the EU-US and Swiss-US Privacy Shield Frameworks and ISO 27001:2013. In addition, Workplace Options is a member of the International Association for Privacy Professionals. Workplace Options also has model clause contracts with partners and affiliates who process data on our behalf. All Workplace Options contracts and data sharing agreements are constantly being reviewed and updated to ensure they meet the standards of GDPR.
12 Steps to Compliance with GDPR
Member states of the EU have set out to define guidelines for compliance with GDPR. Below are the 12 steps they recommend an organization should take to ensure compliance with GDPR. We have included, with each step, information about Workplace Options’ response.
“You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”
– Workplace Options has a dedicated team representing security, legal, executive, and each operational department head within the organization. This group has worked towards GDPR compliance, and continues to work on education and operational success. We have also hired external counsel, both to guide the changes, and audit them independently for compliance.
2. Information you hold
“You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.”
– Workplace Options’ proprietary case management system, UCMS, is used for internal processing. We fully document how we receive personal information: through email, telephone, website, mobile application, etc.; where and how we store the received personal information: secure location in an EU UCMS database; and who we share it with: partners and affiliates, data subjects, etc.
3. Communicating privacy information
“You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.”
4. Individuals’ Rights
“You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.”
– Workplace Options is aware of individual rights, and is in compliance with supporting our customers and end users. In 2016, Workplace Options became ISO 27001:2013 certified. Our case management system, UCMS, currently has capabilities to delete personal information and provide data electronically and in a commonly used format. Workplace Options is also ISO 9001 certified, as evidence of a commitment to quality and process.
5. Subject access requests
“You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.”
– Workplace Options has designed and implemented a Protected Health Information Tracker (PHI Tracker). Our PHI Tracker follows the entire personal information request and delivery process. Relevant information to ensure compliance includes: when the request comes in, grounds of the request, who requested it, delivery, and timeframes.
6. Lawful basis for processing personal data
“You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.”
– Workplace Options supports individuals’ wellbeing needs. We need access to personal information to provide meaningful and impactful services to our members.
“You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.”
– Workplace Options requests consent verbally, and acknowledgement of that is maintained within UCMS, our case management system.
Organizations that offer or provide services to children should have “systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.”
9. Data breaches
“You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.”
– As a part of our ISO 27001:2013 certification, Workplace Options has procedures in place that explain in detail everything that will take place if a personal data breach occurs, including detection, reporting, and investigation.
10. Data Protection by Design and Data Protection Impact Assessments
“You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.”
– Workplace Options has completed a Data Protection Impact Assessment (DPIA). The DPIA assesses the necessity and suitability of how we process data. This allows us to make any necessary change in a timely manner.
11. Data Protection Officers (DPOs)
“You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.”
– Workplace Options has assigned a team of individuals who are taking responsibility for assessment and compliance with GDPR. In addition to our chief security officer, we have designated a DPO.
“If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.”
– Workplace Options uses France as our lead data protection supervisory authority.
Our team at Workplace Options worked diligently to appropriately update our consent requirements to meet the GDPR changes. It is an organizational priority to ensure that each individual we serve has proper information about the rights that GDPR provides to them. We are also committed to providing a transparent and efficient mechanism for EU citizens to request access to their information for review, correction, and deletion.
As additional relevant information becomes available, we plan to update this page accordingly.
Workplace Options GDPR Compliance Template
Workplace Options used a combination of the ICO checklist, found at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/controllers-checklist/, the ISO27001:2013 standard, the Privacy Shield assessment by the Federal Trade Commission of the United States, and the ISACA DPIA assessment template to determine compliance with GDPR.
These assessments combined, covered all aspects of the GDPR that went into effect 25 May 2018. The areas covered include the following:
- Data Security Management
- Information Security Technical Controls
- Choice and Consent
- Legitimate Purpose Specification and Use Limitation
- Personal Information and Sensitive Information Life Cycle
- Openness, Transparency, and Notice
- Individual Participation
- Monitoring, Measuring, and Reporting
- Preventing Harm
- Accuracy and Quality
- Security Safeguards
- Third-Party and Vendor Management
- Breach Management
- Security and Privacy by Design
- Free Flow of Information and Legitimate Restriction
A variety of EU-based groups have each put together separate guides that include suggestions to help organizations remain compliant. To see their respective materials, follow the links below:
- ICO GDPR Guide
- DLA Piper GDPR Guide
- Commission Nationale de l’Informatique et des Libertés GDPR Guide
- ICO 12 Steps to Take Now
- European Commission GDPR Guides
Note: quotes above are attributed to ICO’s “Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now, cited here: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf