The GDPR (General Data Protection Regulation) came into effect on May 25, 2018. Aware that this law was going to shake up the organization of companies and associations managing a large amount of data, we anticipated its arrival since last year.
How were the alumni associations clients at NetAnswer accompanied towards the transition to the GDPR?
To make the transition as smooth as possible for our customers, we have set several steps:
1. Before January 31, 2018: Appointment of the DPO
Although it is not mandatory for an association, NetAnswer has encouraged its clients to appoint a DPO in order to facilitate exchanges, centralize information and play the role of conductor if preventive actions or data management would arise.
2. Between January 31 and March 15, 2018: Exchanges between DPOs
The DPOs designated in the associations were able to exchange with the DPO of NetAnswer in order to respect together the 6 steps defined by the CNIL, which we detailed in our previous post: https://www.netanswer.fr/le-rgpd-pour-une-association-alumni/
NetAnswer has provided its expertise as well as document templates to facilitate this step.
3. Between March 15 and May 25, 2018: Modification of contracts.
All contracts binding customers to NetAnswer were amended to take into account the GDPR.
4. Between April 15 and May 24, 2018: GDPR Developments
Terms of Service were implemented on our clients’ sites to inform members and collect their time-stamped consent.
5. May 25, 2018: GDPR enforcement.
GDPR developments were available in production so that associations could be GDPR compliant. An explainer video was created to train them on how to use the new features.
6. Since 2017: Training
NetAnswer has offered its customers several trainings, in Paris or via videoconference in order to summarize the main lines of the GDPR and explain its implications for an alumni association.
How is member data managed by Netanswer secured?
The objective of data security is to limit leaks and to be able to find the origin of these leaks in order to intervene and ensure that this cannot happen again.
Some examples of security points implemented at NetAnswer:
- Reliability of servers: NetAnswer controls access to secure servers hosting its customers’ sites and its employees are trained in data security.
- Double authentication: After logging in with a login and password, a code is sent by SMS to the administrator’s cell phone to validate that the person trying to log in is indeed the administrator. The passwords of the members have been further complicated.
- Switching to HTTPS: Data entered/posted on our clients’ sites is secured from end to end, between our server and the users’ browser.
- Monitoring activities: A logging of activities is planned in order to detect abnormal activity (data export in administration, abusive consultation by a member etc.). Limits on consultation are already in place and can be set.
How do customers have control over the management of their data?
NetAnswer gives the possibility to its customers to set up the GDPR developments from their administration space. A page collects the documentation as well as the possible settings as for example:
- Configuration of the CGU texts and edition of the associated static pages,
- Interface for deleting/consulting/exporting a person’s information,
- Display of the validation of the CGU by the members and the dates of consent,
- Modification of the consultation limits in the directory and visualization of the list of people having reached them,
- Consultation of the logs of the exports made on the site.
In conclusion, if the implementation of the GDPR required a considerable amount of time for reflection, development and training, this task appeared to be indispensable. Indeed, NetAnswer’s will goes far beyond the simple fact of complying with the law and aims above all to accompany alumni associations in the control of their data and to anticipate the risks of leakage to which they are exposed.
ANY QUESTION ?
