How organizations use your personal data has been in the news quite a bit lately. As a nation, we were riveted as Facebook founder and CEO Mark Zuckerberg testified before Congress recently on how the company leverages information derived from the use of its social media platform. There has been blowback, as many people have purportedly ditched Facebook because they don’t trust the company will safeguard personal information.
While in the U.S. we’ve got a hodgepodge of regulations focused on very specific buckets of personal data, the European Union has taken the broader is better approach and has been working towards a far-reaching set of new regulations. For those with an international footprint, these four letters have likely been on your mind for some time – GDPR. That stands for the General Data Protection Regulation and enforcement of GDPR begins on May 25, governing the way businesses treat the data of people living in the EU.
The way Businessolver or any other benefits technology company uses data is vastly different than what Facebook does. The “experience” we’re delivering to members is related to their effective use of their benefits. We’re not trying to influence what they believe, who they vote for, or where they shop for shoes. This data has a very specific use and should only be shared with a closed loop of predetermined vendor-partners.
While Businessolver isn’t an EU business, and we don’t generally have EU employees on our system, we have been monitoring the impact of GDPR as an emerging standard. As a result, we have reviewed our systems and processes and are confident we have the systems and controls in place to comply with these regulations, and to help ensure our impacted customers are complying with GDPR.
If you have employees in the EU, you should discuss GDPR standards with your technology vendor as well as your internal IT and data security resources to ensure you are treating the data of EU citizens appropriately.
These are the processes and safeguards we use here at Businessolver, and we have shared this information with our client base to ensure they feel comfortable with our controls around GDPR compliance. If you need to discuss internally, feel free to share this list with your tech folks.
- We receive electronic consent from all members that use the Benefitsolver web application. The electronic consent is written in clear and plain language. The electronic consent is configurable to client requirements and can align with client language to ensure consistent messaging with existing systems.
- We provide logging of all touches of member data and track imports and exports of information within the application.
- We encrypt confidential data in transit and at rest. This confidential data includes the encryption of basic identification information of members and other personally identifiable information.
- We provide clients with multiple processing locations through our geographically diverse data centers located in the United States to ensure availability and integrity of the data in our systems.
- We require all employees sign confidentiality agreements.
- We have an incident response policy that includes breach notification processes in place to communicate to clients in less than the GDPR 72-hour requirement.
- We have cyber insurance in place and at limits above industry standard for protection in the event of a data misappropriation or breach.
- We issue SOC 1 and SOC 2 audit reports to provide a third-party review of Businessolver’s security practices.
- We perform internal and third-party web application assessments and network penetration testing.
- We follow the Principle of Least Privilege when issuing access rights.
- We have a compliance team which includes a Privacy and a Security Officer, aligning with the GDPR requirement requiring a Data Protection Officer.
Even without EU employees, the imminent effective date of GDPR is the perfect opportunity for you to ask your benefits administration vendor for a similar run-down of how they are safeguarding your employees’ data. Better to be safe than face a data breach that could have been avoided with some ad hoc due diligence.
Get more insight into cybersecurity and data protection below.