The European Union has taken steps to protect the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) effective from May 25, 2018.
EU residents now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organisation that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data.
En Route have taken all the necessary steps to provide the right tools and processes to support our employees and customers to ensure we meet the GDPR mandates.
En Route’s Commitment
At En Route, we have always honoured our customers' right to data privacy and protection. We do not rely on direct marketing as a revenue stream. This means that we have no necessity to collect and process users' personal information beyond what is required for us to supply and maintain the products and services we provide.
Over the years, we have demonstrated our commitment to data privacy and protection by only sharing essential information both internally and externally to ensure our customers receive the highest level of service.
En Route, preparing for GDPR
We have worked closely with internal teams and external vendors to ensure all our systems and processes are GDPR compliant across all platforms. As a data controller and processor, we have thoroughly analysed the GDPR requirements and have put in place a dedicated internal team to drive our organisation to meet them. Some of our ongoing initiatives are:
- Identifying personal data - Each of our applications undertakes a different level of personal data collection, usage, storage and disposal. Defining the purview of personal data for each of these applications and documenting the various sources of data will go a long way in providing a roadmap for compliance in the days leading up to implementation.
- Providing visibility and transparency – One of the important aspects of GDPR is how the collected data is used. As a data controller and processor, we are required to provide our customers access to effectively manage and protect their personal data. We are making product enhancements without compromising on performance so that we can provide better transparency to our customers.
- Enhancing data integrity and security - Data privacy and data security are two sides of the same coin. As our customers and suppliers tighten their data security measures, we would like to extend a helping hand. We're streamlining the processes for our applications by implementing IT policies and procedures that provide end-to-end security.
- Portability and transferability of data - GDPR gives end users the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. With this new right in mind, En Route is working on further enhancing its data exporting capabilities to enable export even at the individual level.
- Data retention and erasure – We have updated our retention policy and schedule to ensure we meet the GDPR principles. We have documented erasure procedures to ensure we are compliant with ‘your right to erase’ obligations along with exemptions, response times and notification responsibilities.
- Obtaining Consent – We are revising all areas of communication and literature to ensure individuals understand what they are providing, why we need it and how it will be used. We have developed a stringent process for recording consent and the ability to easy recall consent and have the data destroyed.
- Data Protection Impact Assessment - Where we process personal information that is considered high risk; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
- Processor Agreements - where we use third-parties to process personal information on our behalf (i.e. Payroll, Recruitment, engineering etc), we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they (as well as we), meet and understand their/our GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
En Route have a designated GDPR compliance officer to oversee and take responsibility for all GDPR related activities across the organisation. We understand that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and will continue to involve all our employees in our preparation plans.
If you have any questions about our preparation for the GDPR, please contact firstname.lastname@example.org