GDPR – how we comply with the new EU directive

The new EU directive for data protection and privacy, GDPR, is rather complex, and there are still parts that may seem unclear.

At Indpro, we have the skills and knowledge to guide our customers through the process of ensuring that our cooperation complies with GDPR.

Storing sensitive data

Our processes guarantee sufficient security for data which is personal and potentially sensitive.

We have processes in place for how to receive personal data, for how to handle and store the personal data – and perhaps most importantly, how we remove data and under which circumstances we should do so.

Authorized agreements

The agreements (for example personal data processing agreements) that we sign with our clients have been professionally developed and follow the regulations of Datainspektionen (Swedish Data Protection Authority) and GDPR in the management of personal data. The agreements comply with GDPR.

Before we start a cooperation we do a thorough assessment of what data we may potentially work with, which data is personal and sensitive, and which data is not.

If we are to work with sensitive data we give recommendations for how to set up our process to minimize security risks. Then we set up the process with the client, giving the client full insight in how we manage the data.

Rules on data transfers outside the EU

When data is transferred to countries outside the EU, stricter regulations apply. Whenever possible, we set up a working procedure that allows us to work in the client’s environment through secure access points. In 9 cases out of 10 we do not need to handle personal data at our own sites, neither in Sweden nor or at our delivery center in India.  But in those projects where managing data outside of the EU is necessary, we have the processes and the agreements in place to ensure GDPR compliance.

Security in our delivery center

In our preparations for GDPR we have heightened the security at our big delivery center in Bangalore, India. We already had biometric identification in place for accessing the office, and have developed new policies for staff using their own devices at the office. We still allow BOYD (bring your own advice), but we have updated our policies and introduced a stricter process for controlling when data is brought outside of the office. We save log history and have routines in place for what to do if a data breach does happen. We have also gone over the routines for keeping our IT equipment safe.

Trained staff

Compliance with GDPR requires that the whole organization receives training in what GDPR and the regulations of Datainspektionen signify, and understand the importance of abiding by the processes and rules in place.

We continuously train our staff in GDPR compliance, in Sweden as well as in India.

Regular audits

We audit our policies, processes and systems regularly: every quarter, six months and annually. In our audits we go through the processes, and explore what improvements can be made.

GDPR compliance is not a one-shot project, but a continuous process. Indpro continues to keep up to date with the development of the data protection regulation, to ensure that we, and our client projects, comply with current legislation.