GDPR Guide: What You Need to Know About EU Data Privacy Law

Overview

On May 25, 2018, a new European privacy law, called the General Data Protection Regulation (GDPR) will take effect in the European Union (EU). The GDPR is designed to give EU citizens more control over their data, strengthening their right to access personal data relating to them and seeks to unify data protection across Europe under one comprehensive law. Hippo CMMS has put together this GDPR Guide to help you understand the basics of the new Regulation and what we are doing to comply.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the GDPR’s key privacy and data protection requirements include:

• Requiring organizations to obtain consent from data subjects for processing of his or her personal data
• Anonymizing collected data to protect privacy of data subjects
• Clear, concise, transparent communication relating to the processing of personal data relating to the data subject
• Requiring organizations to provide communication and notification of data breaches to data subjects

Who does GDPR apply to?

GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. The collection, use, disclosure, or disposal of data, are “processing” activities under the GDPR. Under the GDPR, an organization is operating as a “data controller” or “data processor”. A “data controller” determines how personal data will be processed. A “data processor” carries out processing activities on behalf of the data controller.

What is personal data?

Personal data is defined as information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as – name, email address or location, and also online identifiers like IP address, types of website cookies and other device identifiers.

Hippo CMMS GDPR commitment

Across all Hippo CMMS services, we are committed to our customers’ success, including compliance with the GDPR and EU Data Protection laws in general. Hippo CMMS will be fully compliant with these new regulations by the statutory deadline to ensure that all of our customers and prospects in Europe enjoy the full protections afforded by the new laws.

What has Hippo CMMS done?

We have taken many steps across the entire company to ensure we will be ready for the GDPR.

• We have reviewed the requirements of the GDPR and will be implementing steps to ensure the way we collect, store and process personal data is compliant to the new regulations.
• We have reviewed and updated our privacy policy and cookies policy to help ensure that your data is handled appropriately across all Hippo CMMS services. Please see our Privacy Policy and Cookies Policy for more details.
• We have also reviewed the policies of our subprocessors that handle our customers’ personal data to the applicable data management, security and privacy standards required under GDPR. Please see Hippo Data Sub Processors
• We have ensured Hippo staff that access and process Hippo customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
• Where we are transferring data outside of the EU, committing to appropriate data transfer mechanisms as required by GDPR.

Aspects of the GDPR at Hippo CMMS

Below is a list of the key rights of an individual under the GDPR, that Hippo CMMS will support through our GDPR compliance:

• A right of access to data – individuals can obtain personal data concerning him or her
• A right for the correction of data where inaccuracies have been identified – individuals can request rectification of inaccurate personal data and the completion of incomplete personal data
• A right to require the erasure of personal data – individuals can request to erase their personal data
• A right to prevent direct marketing – individuals can object to the processing of personal data concerning him or her, that is used for the purposes of direct marketing
• Control over automated decision making profiling – individuals can object to automated processing, including profiling, which produces legal effects concerning or significantly affects him or her
• A right to data portability between controllers – individuals can request and receive their personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller