GDPR is an abbreviation we’re all getting more familiar with. It’s the General Data Protection Regulation from the European Union, which comes into effect on May 25th 2018. And for us Australians, it is not dissimilar to our own NDB (Notifiable Data Breach scheme), which came into effect on 22nd February 2018. We are told that similar legislation will be coming to Canada soon too – and in all likelihood, many other countries as well.
The GDPR is based on the concept of making it mandatory for any organisation dealing with confidential personal data to report a data breach, should it occur, to all those individuals potentially impacted and also to the government regulators. Public notifications may also be required.
It has come about because big providers to industry have had significant data breaches and failed to inform anyone until some years later. You may remember Yahoo announcing in 2016 that there had been data breaches in 2013 and 2014. There is now a Wikipedia page all about the Yahoo breaches, but the resulting media scandal has driven wholesale legal changes, which are now being implemented.
While the costs and embarrassment of reporting a data breach are clearly best avoided, the potential fines for failing to do so, and later being caught out, are in the millions of dollars. Large enough to put many firms out of business. So it is all about reducing risk of exposure.
Nimbus has committed to industry standards such as ISO 27001 and ISO 32000 to ensure our standards of security and document handling are independently endorsed and meet the most stringent standards for the control over our client’s confidential information.
This means that we have to take all the necessary steps to control the digital format for documents and to encrypt them. There are also legal clauses in our customer agreements and our privacy statement.
For GDPR legal definition purposes, our customers are normally the Data Controller and Nimbus is a Data Processor – holding the data on behalf of our customers. But because we are also capturing digital signatures within the Nimbus service, Nimbus in this case also acts as a Data controller.
Although it was not mandatory for us, Nimbus has chosen to appoint a DPO (Data Protection Officer), i.e., an independent person whose role is to oversee our governance and ensure we are taking the necessary steps to confirm to the GDPR. We are pleased to announce the appointment of Peter Borner from the “GDPR Guys” a U.K. based GDPR specialist firm.
One of our clients asked us if we would advise their customers directly about a theoretical future data breach or if they would get the opportunity to speak to their customers first.
Nimbus has decided that should a notifiable data breach occur, we will immediately notify our customer first, i.e., the firm paying for Nimbus Portal Solutions’ services and they will have a short period (48 hours) to take demonstrable steps to notify their affected clients. If they do not do so within this period, then we will then notify their clients to ensure that we are meeting our own obligations. We will also automatically notify the appropriate government regulator.
In summary, if your customer’s data is in Nimbus, we are both GDPR and NDB compliant and your risk of exposure is well protected. We also offer the highest level of cloud security over your documents, including account specific encryption of the stored document to the standard required for “Secret Documents” by the NSA in the United States.
Mandatory strong single factor authentication with optional two factor authentication for all login and file access, is part of a range of measures that we are bringing to market in response to GDPR and NDB, to ensure that our customers have the necessary robust access security over their Nimbus accounts and data stores.
Should you have any questions please feel free to give our team a call or send us an email.
To read more about how the NDB affects your business please click here.