The European Union (EU) General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018 and unified the EU member states approach to protecting all EU citizens from privacy and data breaches. Although the key data privacy principles remain largely unchanged from the previous EU Data Protection Directive of 1995, the recently enacted EU GDPR has extraterritorial scope applicability. The EU GDPR also expands EU data protection obligations to cover all processing activities related to EU-based data subjects.
In terms of Brexit regardless of its outcome, RapidRatings has taken the necessary steps from a data protection perspective. What does this entail? When RapidRatings engages with UK suppliers or third parties we seek to obtain a data processing agreement and we use the EU Standard Model Clauses for this. We will continue to take this approach even if Brexit does take place until there is a change in the legal requirements from a privacy perspective. Within RapidRatings we are closely monitoring Brexit issues continuously and have a plan of action which we are following from a privacy and compliance perspective.
What is RapidRatings approach to California Consumer Privacy Act (CCPA)?
The CCPA defines a business as a for-profit entity that collects consumer personal data and who must be a business in the state of California that meets at least one of the following thresholds:
- Businesses that earn $25,000,000 or more a year in revenue
- Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
- Business that derive 50% or more of its annual revenue from selling consumer personal information
RapidRatings does not fall with the scope of CCPA based on the above requirements for example RapidRatings is not set up in California nor are we in the business of buying, selling, or sharing personal data. As such the CCPA is not applicable to RapidRatings,
It is worth highlighting here that RapidRatings' compliance efforts with data protection are at a higher standard given that we comply with the EU’s GDPR which is widely viewed as more stringent data protection law than CCPA. From an information security perspective we are ISO27001:2013 certified as well.
As it stands RapidRatings is also working towards becoming ISO 27701 Privacy Information Management Certified and we hope to reach certification during 2020.
As a SaaS provider, RapidRatings is fully committed to compliance with the GDPR . RapidRatings operates a risk-based approach to GDPR and data protection by evaluating risks to the confidentiality, integrity and availability of our client’s data. To ensure compliance with GDPR requirements, RapidRatings has taken the following approaches:
- Conducting internal audit to review current practices as it relates to GDPR
- Engaging with independent Third Parties from an audit perspective as regards our GDPR and Privacy policies and procedures
- Appointing and assigning a Data Protection Officer to ensure GDPR related compliance, working alongside our Head of Information Security, Chief Technology Officer, and Chief Product Officer
- Updating internal policies and procedures of RapidRatings to ensure compliance with GDPR
- Updating Data Security policies and procedures in alignment with RapidRatings' ISO27001:2013 certification
- Introducing a separate personal data preach policy
- Reviewing and updating how RapidRatings gets consent from employees and third parties
- Evaluating technical and/or procedural solutions to satisfy the “Right to be Forgotten” and “Right to Data Portability”
- Conducting Privacy Impact Assessments
- Educating and training staff to adequately protect personal data
- Ensuring Privacy by Design & Privacy by Default