GDPR

IR and the General Data Protection Regulation (GDPR)

Introduction

IR is the corporate brand name of Integrated Research Limited (ASX:IRI), a leading global provider of proactive experience management solutions for critical IT infrastructure, payments, and communications ecosystems, and is an organization that follows the United Nations Global Compact principles. At IR, we understand the importance of data protection and privacy, with more than 1,000 organizations in over 75 countries - including some of the world’s largest banks, airlines, and telecommunications companies - relying on IR to provide business critical insights and ensure continuity-critical systems deliver high availability and performance for millions of their customers across the globe. We are committed to high standards of information security, privacy, and transparency. Since we started providing real-time, fault-tolerant management in 1988 for business-critical computer systems and applications running on HP NonStop server technology, our products have stood the test of time. Today IR experience management solutions for payment hubs, unified communications ecosystems, and contact centers are trusted by Fortune 500 companies to keep their business running.

What is GDPR

On May 25th, 2018, the European Union General Data Protection Regulation (“GDPR” or “regulation”) becomes enforceable establishing a new framework for handling and protecting personal data. The GDPR is the most significant piece of data protection legislation to date, further strengthening individual data privacy rights and creating a uniform data protection law across Europe.

The regulation applies to the processing of personal data and encompasses all organizations established in the EU, additionally applying to organizations outside the EU that monitor the behavior of EU residents or offer goods or services within the EU. The terms “processing” and “personal data” are each defined broadly: “processing” meaning any operation or set of operations performed on personal data, whether or not by automated means; “personal data” meaning any information relating to an identified or identifiable natural person and can be in any format.

Key GDPR Requirements: 

• Lawful, fair, and transparent processing: Personal data must be processed in a lawful, fair, and transparent manner. This means organizations that process personal data must process either based on consent, performance of a contract, legal obligations, protection of vital interests, necessity for public interests, or the legitimate interests of the organization. Organizations must be transparent and inform data subjects about the processing activities performed on their personal data.  
• Data subject rights: The regulation expands data subject rights, including; the right of access, right of rectification of any inaccurate or incomplete personal data, right to erasure, right to restrict the processing of personal data, right to object to processing, right to data portability, among others.
• Consent: Requests for consent must be freely given, specific, informed, and unambiguous by a statement or clear affirmative action.
• Data Protection Impact Assessment: Where a type of processing is likely to result in a high risk to the rights and freedoms of data subjects a Data Protection Impact Assessment should be conducted by the organization conducting the processing in order to assess the risks, impacts, and possible remediation measures. 
• Privacy by design and default: Organizations must incorporate organizational and technical mechanisms to protect personal data in the design of new products, systems, or processes.
• Personal data breach: In the event of a data breach involving personal data the organization acting as the data controller must, where feasible, report the breach to the authorities within 72 hours. Where there is likely a high risk to the affected data subjects such data subjects shall be notified without undue delay. 
• Data transfers: The regulation applies strict standards around transfers of personal data to third parties for processing or transferring of personal data across borders. The data controller has accountability to ensure personal data is protected and GDPR requirements met when the data is transferred outside the organization to a third party. 
• Data Protection Officer: Certain organizations will need to appoint a Data Protection Officer, including organizations whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of sensitive personal data.

What IR has done in preparation for GDPR

Data protection and data privacy themselves are not new concepts to which organizations like IR must adhere. IR has long been committed to these concepts and the GDPR is an opportunity to build a stronger data protection and data privacy foundation. IR embraces, amongst others, the privacy by design and privacy by default principles of the GDPR.  IR is committed to complying with the GDPR by the May 25th, 2018 enforcement date and fully supports the intent of the legislation. 

IR is taking proactive steps towards our GDPR commitment. IR ran a program of work which had an internal, cross-functional, global steering committee comprised of senior members and a Certified Information Privacy Professional - Europe, who ensured that IR expanded current data protection and data privacy practices to meet GDPR compliance. Additionally, IR is using the opportunity to continually further enhance internal information security policies and adhere to applicable international standards and industry best practices.

Prognosis is GDPR Compliant

When using Prognosis, our customers can be assured of their ability to comply with their GDPR requirements.  As part of IR’s GDPR program, IR engaged NCC Group, a company that is ISO9001 and ISO27001 certified that specializes in privacy and cyber security.  NCC Group carried out a data protection impact assessment (“DPIA”) on Prognosis to identify any privacy-related risks and their solutions.  The DPIA found that the Prognosis application is “out of the box” configured to meet the requirements of the GDPR.  Customers are advised to read the GDPR Attestation from NCC Group and ensure that any bespoke configuration is reviewed.

Furthermore, to assist our customers with categorization and retention of personal data for Advanced Reporting, the next version of Prognosis 11.5 will contain personal data property tags.  Historic existing personal data can be queried, identified and tagged.  This will assist customers in efficient handling and retention of personal data that is stored outside the Prognosis database.

If you have any questions, you can reach the IR team at legal@ir.com or contact us at the following address:

Integrated Research Limited
Attn: Legal,
Level 9, 100 Pacific Highway,
North Sydney
NSW 2060
Australia.