GDPR Readiness Update
Data and its protection are becoming increasingly more important to individuals and enterprises. As you may know, the European Union (EU) enacted the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) which will be enforced starting May 25, 2018. The GDPR is designed to give EU residents better control over their personal data regardless of where data is sent, processed or stored by establishing one set of data protection rules across the EU.
Based on the current published regulations, Meltwater will be compliant by May 25, 2018.
We are currently analysing the GDPR requirements to determine which articles are in scope for Meltwater, data partners, vendors and our customers. We continue to work together with our privacy counsel and monitor guidance provided by the Article 29 Working Party to ensure we stay on top of the policies and procedures as they evolve. For further background on our compliance, please see below.
We have already taken these steps to be compliant:
- We have received legal counsel and expert advice to help us fine tune our compliance strategy and plan. We have trained key personnel on GDPR and appointed a GDPR certified DPO.
- We have completed a data inventory, mapping and networking exercise to ensure we understand the types of personal data we process, lawful reason to collect the data, where the collected data is stored and security measures used to protect it.
- The data centres we use have the necessary data security requirements and controls in place to protect our customer data, including the ISO 27001 certificate. Our servers also have redundant multi-factor authorization requirements for physical access to the facility housing the systems.
- We have strong data protection controls in place, which includes encryption in transit of customer data, to safeguard data subject’s data from unintended disclosure or misuse.
- We maintain incident response and notification processes and perform periodic code scans and penetration tests.
- We have created processes to execute data subject requests and to safeguard other rights of data subjects in an expedient and accurate manner.
- We have created a Data Processing Agreement which we can share with our clients when necessary.
- We have put in place appropriate consent processes when consent is used as our legal base for processing personal data. This includes among others European journalists in our Influencer database.
- We have recognised that we are a Data Processor when it comes to personal data received from our customers in order for us to provide them the service.
- There are also situations where we are the Data Controller. We are the Controller in relation to our employee and applicant data, the journalist’s personal data stored in our Influencer database as well as the personal data in the news and social content we provide to our clients.
We are still working on these steps towards compliance:
- Incorporating data protection impact assessments into our product management process.
- Creating binding corporate rules for internal data transfers.
- Limiting the personal data we process and updating our retention policy.
- Reviewing and updating our supplier and customer contracts to include all necessary language around GDPR and to help ensure that our responsibilities are clearly defined to make sure there is no confusion that could result in penalties for either party.
- Reviewing data security standards, controls and processes to ensure they meet the GDPR requirements.
- Acquiring the necessary resources to execute and maintain ongoing compliance after May 25, 2018.
We understand compliance is a shared responsibility with our customers; we are committed to partnering with you to help you successfully comply with the GDPR. Should you have any questions about our compliance plan, please reach out to your Account Manager, or our Client Acquisition team should you not yet be a Meltwater customer.