SilkRoad Technology Statement on GDPR

You may have heard about the new European Union General Data Protection Regulation (GDPR), which goes into effect May 25 2018. Because SilkRoad handles and processes both employee personal and work data for you, we are committed to ensuring that you have what you need to stay compliant with this impending regulation.

The new GDPR updates and streamlines the EU Data Protection Directive formulated back in 1995. Obviously this update has been needed as we’ve come a long way in the evolution of information technology, privacy and data security over the last 22 years.

What do you need to know about how SilkRoad, as a data processor, partners with you to ensure compliance with GDPR requirements? This short document provides an overview of information and general guidelines around the requirements for the General Data Protection Regulation (GDPR) initiative. We’ll advise customers as we update these FAQs over the next year.

When does the GDPR go into effect?

The General Data Protection Regulation (GDPR) is an EU regulation which goes into effect on May 25, 2018 and is designed to replace the current Data Protection Act governing how SilkRoad processes customer personal data.

Why was GDPR needed?

The GDPR was created to become a more up to date law for data protection in keeping up with the enhancements of evolving technology. GDPR’s primary focus is strengthening the rights of individuals and how their personal data is processed and protected.

How is it different than the 1995 EU Data Production Act?

Many of the GDPR’s main concepts objectives are very similar as those found in the Data Protection Act but with enhanced elements and a greater emphasis on accountability on how organizations demonstrate their compliance.

What enhancements will affect data privacy and protection agreements SilkRoad offers?

• Data Breach Penalties Increased – Failure to report a breach, when required to report can result in stiff fines €20 million OR 4% global turnover.
• Consent – Consent to process data must be “freely given, specific, informed and unambiguous”. Consent must be provided by clear affirmative action with “explicit” consent required for sensitive personal data.
• Right to be Forgotten – Individuals can request deletion of their personal data in certain situations.
• Data Processors – Organizations which process or hold personal information have specific statutory obligations.
• Children – Special protections are mandated for children’s personal data with new rules for consent.
• International Transfer – Special restrictions are mandated on transfer of personal information outside the EU to ensure protections afforded by the GDPR are not undermined.
• Subject Access Requests – Organizations will not be able to charge for dealing with a request and associated response will need to be provided within 1 month (currently 40 days).
• Accountability – Organizations will need to treat data protection by “design and default” to demonstrate compliance; clear and detailed privacy notices will need to be in place to inform individuals about the legal basis for processing their data and how it is processed. In addition, data retention schedules need to be in place for compliance.

What additional actions will SilkRoad take?

In addition to the strides SilkRoad is making to become fully GDPR compliant, we are evaluating outside security vendors to assist in performing a gap analysis on current policies and business practices versus GDPR requirements. The results of the gap analysis will be used to complete the GDPR roadmap.

Where can I go for further information?

Further information will be made available as necessary as we continue the process of ensuring SilkRoad is fully compliant for GDPR.

For further information related to the GDPR regulation:

Overview of the GDPR (Information Commissioner’s Office)

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/