At AAC Global we take our customers’ privacy seriously and for this reason we have made preparations to meet the EU General Data Protection Regulation (GDPR) standards on schedule. To prepare for GDPR, we have carried out several updates to our systems, documented our processes, trained our people and ensured in several other ways that our ways of working meet GDPR standards.
In this article, we will cover a few of the most important actions and changes AAC Global has taken to be ready for GDPR.
1. But first, what is GDPR?
The GDPR or General Data Protection Regulation is an EU regulation on the data protection and privacy of all individuals in the EU. As GDPR is a regulation, it is something that all companies, organizations etc. must follow. It does not require national governments to pass any enabling legislation (like an EU directive) and is directly binding and applicable.
GDPR was adopted April 27, 2016 and after a two-year transition period, it becomes enforceable from May 25, 2018 onwards. GDPR replaces the Data Protection Directive of 1995.
2. How have we prepared for GDPR?
2.1 We took a privacy impact assessment to audit our systems and ways of working
One of the key actions we took in our GDPR preparations was to have a privacy impact assessment (PIA) carried out by an external privacy expert, Privaon. In the two-day long PIA workshop sessions, we went through what data we gather in our marketing and customer relationship management systems and registries, and to establish how we use it and how we can ensure that we meet GDPR standards. After the workshop with Privaon, we put the PIA framework into practice and analyzed all the remaining systems and registries we use according to the same principles.
The major finding of the PIA assessment was to realize that while our ways of working and methods met industry best practices, our documentation needed to be updated in some areas.
2.2 We updated our documentation about personal data processing
After the PIA workshops, we made a concrete action plan for updating all the documentation which describes how we manage our personal data processing, how the information flows between the systems, and how it is deleted.
2.3 We ensured that the information can be deleted from our systems and set up automated processes for data deletion
AAC manages and processes personal data in several registries and ensuring that personal information can be deleted or anonymized at will and with automated processes 24 months from the last activity was by far the biggest development we took in GDPR preparations. The actions to this end started at the beginning of 2017 and were completed in April 2018.
However, this process not only enabled to us to meet GDPR standards, but also helped us to develop our systems and ensured that we can better serve our customer’s needs.
2.4 We updated our privacy & cookie policies
To ensure our ways of managing and processing personal data is as transparent as possible, we updated our privacy and cookie policies. The updated documents have now a table of contents for easier reading, and they cover in detail how we manage, process and use personal data and how our customers can exercise their rights to view, update, delete or to be forgotten.
Additionally, because GDPR asks for transparency and ease of access, we ensured that our privacy and cookies policies are available in all the languages AAC uses in its operations: English, Finnish, Swedish and Danish.
2.5 Contracts with our vendors outside the EU
Due to the nature of our business, we sometimes use vendors located outside the EU for translation, but never without the customer’s consent. In our GDPR preparations we have gone through all our vendor contract documentation and updated it to be in accordance with GDPR standards.
We require all our vendors to agree to a GDPR-compliant contract to work with us.
2.6 GDPR Training for the employees
To ensure that all our employees are familiar with GDPR and the changes it will bring to managing and processing personal data, we will give all our employees training in GDPR.
Everyone in AAC Global, no matter the role or seniority will go through the e-learning course and familiarize themselves with GDPR requirements and how to manage and ensure the safety of our customer’s personal data.
3 In summary
At AAC Global, we take our customer privacy seriously. The actions and changes described above and many other minor updates have ensured that as of May 25, 2018, AAC Global is compliant with GDPR standards.
Besides the GDPR-related changes, in AAC Global we are proactively developing our systems, technical solutions, processes, and working methods and training our employees to ensure the security of information and data. Our systems, services, processes, and technical environments are audited on a yearly basis by customers and external parties to ensure that information security and privacy are being properly handled.