DON'T SAY...SHOW:

 

1. CONSENT in understandable terms

2. DISCLOSE thoughtfully and thoroughly

3. PORTABLE means client connection

4. BREACH acted upon constructs customer loyalty

5. ERASE responsibly

DON'T TALK...TAKE ACTION:

 

We...

1. Planned all GDPR compliance process,

2. Created GDPR checklists,

3. Designed notification and timelines to  GDPR guidelines,

4. Built all data right request scenarios,

So You....

5. Actively present, process, deliver, and report

 DON'T PROMISE... PROVE:

 

1. Data security rights request prioritized

2. Data security rights processed properly

3. Data security rights delivered on time

4. Data security rights audited and reported for accuracy

NO NEED TO CONTEMPLATE,
COMPLY WITH CONFIDENCE:

1. Plug in to our platform

2. Our tools rapidly deploy compliance tailored to your business rules

3. Evolutionary Training on:

     1. Administration Dashboard

     2. Actor activity,

     3. Access to process packets,

     4. Reporting

     5. Purge

TEAM CONFIDENCE BUILDS EXCELLENCE

When we partner, we deliver to you:

ROI:  cost savings, reduced risks, no fines!  Can you imagine?...erasure and portability ma lead to potential monthly revenue generation!

How?

  • Cost Savings; the content process is already developed with full action tracking accountability for reporting of Customer and Client.
  • One price monthly model less than the annual cost of a compliance officer and two analyst
  • Life cycle processing of data subject requests including
    • Consent
    • Disclosure
    • Portability
    • Breach
    • Erasure
    • Standard reporting
    • A-La-Carte pricing on special EU consulting, custom reporting and officer report delivery to the Counsel
    • Critical life documentation storage and cold storage SAAS
  • Reduced Risks; the content process for compliance is deferred to our program
  • Reduced Fines with excellence in Reporting, good order packets for each category of data rights requests via process management by independent agency

OUR  GDPR COMPLIANCE  PAAS PROTECTS YOU!

  • Banking
  • Insurance and Long Term Investment
  • Medical
  • Energy
  • Goods and Services

Request a Nuxeo GDPR Demo

Request Additional Information

Our system is developed with six major tenets, three are described or mandated by GDPR and three are mandated internally:

      1. Privacy by Design
      2. Privacy by Default
      3. Individual Rights
      4. System and Process Modularity
      5. Flexibility by Design
      6. Report by Design

GDPR Defined Tenets

Privacy by Design

Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Privacy by design is an approach to system and process design that promotes privacy and data protection compliance from the start. Unfortunately, this functionality is often added later as an after-thought or ignored altogether.

Taking a privacy by design approach is essential to minimizing privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind is necessary in most GDPR compliant systems.

Privacy by Design should start by assessing Lawful Basis. This requires a company find reason for the processing of their user’s data. If there is no Lawful Basis, the data should not be collected. Every new business process or service that uses personal data must protect that data or take the protection of that data into consideration.

Once the process can provide purpose for gathering data, and the data is protected through system and process features, personal data can be collected. When something new is created or developed that will have any relationship whatsoever to personal data, it must be created in such a way that data privacy is intrinsic to it – it can’t work without data privacy among its core functions.

Data must only be held for as long as is required, and only to fulfil the processes the customer has agreed. Companies need to ensure their system does this, and once the data has fulfilled its agreed-to purpose, it is removed and rendered completely unavailable to anyone else, unless it’s specifically requested by the customer.

Privacy has to be a prioritized consideration and not just an afterthought, including during:

 

• Data collection

• Data storage

• Data use

 

Our solution, as well as being designed to include Privacy by Design into all our applications, helps you manage Privacy by Design in current and future projects and processes by providing checklists to perform Privacy Impact Assessments (PIAs). PIAs are an integral part of taking a privacy by design approach.

Privacy impact assessments (PIAs) are a tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.

You can integrate the core principles of the PIA process with your existing project and risk management policies. This will reduce the resources necessary to conduct the assessment and spreads awareness of privacy throughout your organization.

 

Privacy by Default

GDPR law states companies “shall implement mechanisms for ensuring that, by default, … data [is] processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.”

This requires companies to only hold and process the data that’s absolutely necessary to complete the required task, and to delete or remove that data from their systems once that data is no longer required for that task. There must be a way to use only the bare minimum of data and exclude or delete the rest from that specific process.

Our solution complies with the GDPR version of Privacy by Default, which emphasizes the following aspects, and help your current processes comply too:

    1. Under this obligation, companies must implement appropriate measures both on a technical and organization level to ensure that personal data collected is only used for the specific purpose mentioned.
    2. This means that the minimum required amount of personal data should be collected, and to minimize processing and control of their storage and accessibility.
    3. On a technical level, data collection techniques including internet browser cookies should be revised to ensure that excessive data collection is not occurring and that automated deletion processes are in place to remove personal data after a set period of time.

Individual Rights

All systems and processes should include the following individual rights (which may be incorporated to, or overlap with, the privacy by design principle.)

In general, these individual rights should match system functionality and should be provided free of charge. For this reason, our solution matches each right with an automated report when possible.)

The GDPR includes the following rights for individuals:

      1. Right to be Informed / Right to Access
      2. Right to Rectification
      3. Right to be Forgotten / Restrict Processing
      4. Right to Data Portability
      5. Right to Object; and
      6. Right not to be Subject to automated decision-making including Profiling

 

The Right to be Informed / Right to Access

Similar to the Right to be Informed, part of the expanded rights of data subjects outlined by the GDPR is the right for users or customers to obtain confirmation from a company as to if personal data concerning them is being processed, where and for what purpose. Further, the controller is required to provide a copy of the personal data, free of charge, in an electronic format. Some access requests may be unfounded or excessive. If access is refused, customer must be notified as to why that data was not provided.

Our solution provides simple checklists for a data processor within a company to follow to comply with the right to access, or Subject Access Right (SAR or Disclosure) process. We include forms that are non-repudiated, so a company is able to document, report, and confirm they are following all steps required to comply with GDPR.

The Right to Rectification;

GDPR requires companies allow individuals to request their data be amended or changed when it is not accurate, amending personal data when they are inaccurate or incomplete. This may include notifying any third parties when invalid info has been changed.

Our solution provides a platform for users to receive a Subject Access Right (SAR) where they can then request information be changed. Through non-repudiated forms, we notify the proper internal party. Internal reports can then be generated to notify the customer that the change has occurred.

The Right to be Forgotten / Restrict Processing

Also known as Data Erasure, the right to be forgotten entitles customers to have a company erase his/her personal data, stop using the data, and potentially have third party companies stop processing of the data. Data erasure should take place automatically when data is no longer needed for the original purposes for processing, or when a customer withdraws consent.

Our solution provides a platform for users to receive a Subject Access Right (SAR) where they can then request information to be erased. Through non-repudiated forms, we notify the proper internal party. If a piece of data is required to be kept for continued use or due to other laws, our system will notify the customer before the request is submitted to allow for a change in request from erasure to a cold storage (the storage of inactive data that is rarely used or accessed, and no longer used for data processing) option. Internal reports can then be generated to notify the customer that the erasure or storage of data has occurred.

The Right to Data Portability;

GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided to a company, in a 'commonly use and machine readable format' and have the right to transmit that data to another company.

Our solution provides a platform for users to receive a Subject Access Right (SAR) where they can then request information to be ported to another company, or to a personal online deposit box. Through non-repudiated forms, we notify the proper internal party. Internal reports can then be generated to notify the customer that the data has been ported.

 

Right to object

Right not to be subject to automated decision-making including profiling

 

 

Our Tenets

System and Process Modularity

Our solution allows for the expandability that your system and application require. If your system and processes already implement part of the GDPR solution, we can provide the rest of the solution without duplicating entire blocks of functionality.

Flexibility by Design

Our solution can be tailored to any process! We have worked in Medical and Banking industries and see functionality that would make us a perfect fit for any business, from a small retail vender, to a medical device company, to a large insurance firm.

Report by Design

Our solution is based around reporting functionality. All customer and company actions can be tracked, defined, and reported down to the individual click. This confirms that proper procedure was performed, and that if there is an audit, the company is prepared to easily show they are in compliance.