Our GDPR Compliance
The General Data Protection Regulation (GDPR), aims to create consistent data protection rules across Europe and has been in effect since 25th May 2018. This applies to all companies that process personal data about individuals in the EU, irrespective of where the company is based. Data processing refers to not only handling data but also collecting, storing, using, and destroying it.
While many of the principles of GDPR have been based on previous EU data protection rules, the GDPR actually has far more prescriptive standards. It’s also wider in scope, and comes with significant fines and penalties. In fact, failure to comply with GDPR can result in fines up to 4% of global annual revenue in case of certain breaches. For instance, the GDPR grants a much broader set of rights to individuals when it comes to accessing and transferring data. It also requires a much higher standard of consent for using certain kinds of data.
Given that we are engaged with over 10 leading IT/Engineering/IoT services companies for their across Continental Europe, UK & Ireland, GDPR is an integral part of our approach. All key decision-makers at Revvlocity are aware of the changes that have been made to the EU data protection legislation. We have appointed a data protection task force to conduct a data protection risk assessment and data audit in order to improve upon our standard procedures and documentation. We are also in the process of educating our employees about GDPR and any changes that we’re making in order to comply with GDPR.
Here are the key components of our GDPR compliance efforts:
Designated access to Data
We have designated a DPO to oversee GDPR compliance. He would fulfil the role of ensuring our ongoing compliance with data protection regulations. The DPO would own all the client data and conduct regular data audits. As part of our data audit, we have identified the categories of personal data we hold and what processing activities we undertake, and we have determined the lawful justification for each. In general, most of our processing activities as data controller or co- controller are required in the performance of a contract or in the legitimate interests of our clients business (without having an undue impact on the fundamental rights and freedoms of the individuals involved).
Security of processing
We ensure that all prospect data that we collect and store are all completely secure. An internal-portal based data storage is utilized to avoid any data leakage. We have also implemented security logging and monitoring of the portal.
Lawful basis for processing
We clearly indicate that our lawful basis for processing personal information includes consent and our legitimate interests.
We have a dedicated delivery bay with appropriate access controls. Paper free zone, defined phone policy and firewalls are in place to enforce restrictions and enable continuous monitoring.
Conditions for consent
We have taken steps to ensure that data subjects freely provide consent, and that consent is given through positive opt-in. However, we would document their legitimate interest wherever possible, make it clear in the communication, and offer an easy opt-out. We do not control and process the personal phone number and email id of any EU prospect until they provide it or we have consent to control and process the same. Our only mode of outreach is through the phone where we seek consent at the switchboards/reception/executive admins before being transferred to a prospect who holds a legitimate interest in the target organization.
Right to be forgotten
We have implemented this feature in the internal portal where any prospect that becomes DNC is removed from the portal and is tracked separately by the DPO ensuring that specific prospect is not reached out to again and all such information is passed onto the client while expecting the same from the clients’ end.
Data Transfer Agreement (DTA) & Vendor Declaration
We always sign a data privacy related document with the client
We have implemented a plan to notify the right supervisory authorities within 72 hours after the discovery of a security breach involving personal data.