The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years.

It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.

Introduction

 

The new EU General Data Protection Regulation has come into force on 25 May 2018 (including in the UK, regardless of its decision to leave the EU) and impacts every organization which holds or processes Personal and / or Sensitive Data.

Personal and / or Sensitive Data is any type of data that relates to an identifiable or identified individual. GDPR covers a broad spectrum of information that could be used on its own, or in combination with other pieces of information, to identify a person.

Personal and / or Sensitive Data extends beyond a person’s name or email address; some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation, and ethnicity.

GDPR introduces new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current laws which it replaces or supersedes.

IST – International Software Techniques S.A. is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards (including ISO 27001 and ISO 22301).

The company complies with applicable GDPR regulations both as Data Controller and / or as a Data Processor (depending on the use case), while also working closely with our customers, suppliers, partners and other involved stakeholders to meet current and future contractual obligations for our procedures, products, services and solutions.

 

The company has three main areas of focus:

  • Building on existing security and business continuity management systems and certifications, including ISO 9001, ISO 27001 and ISO 22301, to ensure our own compliance.

  • Product programs to support compliance for users of our software applications including solutions to streamline the process and drive greater efficiency.

  • Provision of services and solutions which help customers to understand and prepare for GDPR, develop compliance plans and build a stronger platform for the future by taking control of their data.

 

It is important to recognize that compliance is a shared responsibility and all organizations will need to adapt business processes and data management practices. The volume of data handled by organizations is growing and is captured, processed and stored on an increasing number of devices and networks.

Requirements such as data protection impact assessments, active mitigation of risks and evidence of risk management measures require organizations to develop a more disciplined approach to Personal and Sensitive Data, especially those with Personal and Sensitive Data spread across many locations and / or systems with varying levels of personal data quality and ownership. Furthermore, investing in the management of consent presents an opportunity to build trust and provide increasingly useful services.

IST – International Software Techniques S.A. welcomes the arrival of the GDPR. The success of our company builds on the trust that our customers, employees and other stakeholders have in our ability to deliver premier quality. This includes our ability to apply a high level of data protection and security in relation to Personal and / or Sensitive Data that our customers, employees and third parties entrust to us.

IST – International Software Techniques S.A. considers it not just its duty to comply with national and international data protection regulations, but also to do this by applying the same standards, processes and procedures throughout our footprint in a cohesive and comprehensive manner. This allows IST – International Software Techniques S.A. to deliver the transparency, predictability and consistency that our stakeholders continue to expect from us.

Compliance

 

Being located in the EU, IST – International Software Techniques S.A. complies fully with GDPR regulations and requirements.

IST – International Software Techniques S.A. has a robust ISO-based Integrated Management System (IMS) in place, while in order to further ensure compliance it has implemented additional or augmented company-wide controls to meet GDPR requirements within the IMS, using internal and external advisors.

To that end, we have appointed a Data Protection Officer (DPO), who has also been officially announced to the local data protection authority (i.e. the Hellenic Data Protection Authority – HDPA).

Led by our Data Protection Officer, updated information security policies and procedures have been built on existing management systems (including ISO 27001 and ISO 22301), supported by communication, awareness and training programs.

Compliance is further reinforced by a review of existing contracts with Data Controllers, the use of sub-contractors and any data export arrangements.

Our ability to fulfill our commitments as a Data Processor to our customers (i.e. the Data Controllers), is a part of our compliance with GDPR where Data Controllers are using a third-party like us to process Personal and / or Sensitive Data.

Because of this requirement, IST – International Software Techniques S.A. has worked extensively to ensure our agreements contain appropriate provisions for the Personal and / or Sensitive Data we store, and balance the risks and responsibilities between Data Controllers and Data Processors.

When acting as a Data Processor, IST – International Software Techniques S.A. is undertaking risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention are regularly reviewed and updated.

Our customers depend on us to manage their environments. Only a limited number of roles within IST – International Software Techniques S.A. are authorized to access customer environments and then only when necessary, according to strict guidelines and documented actions. We comply with information security best practices including multiple-factor authentication, anonymization, pseudonymization and encryption.

Our Data Protection Officer informs, advises and monitors compliance; IST – International Software Techniques S.A. implements tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.

Software Applications

 

IST – International Software Techniques S.A.’s broad range of software applications and solutions are used to provide efficient and high-quality services. As such, the company is committed to providing technology solutions to support customers’ GDPR obligations, whether through standard features or added value solutions or toolkits.

Customers should contact their account manager to understand what features are available to enable this, from data cleansing and subject access reports to specific data retrieval and disposal tools which create efficiencies by allowing organizations to locate, anonymize and remove data with minimal administrative effort and to enable a quick and efficient response to information requests.

Preparation for GDPR

 

We have acted on many fronts to adhere to the new regulation:

  • We have raised awareness across the organization through frequent discussions in our internal channels, and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.

  • We have assessed all of our software products, individually, against the requirements of GDPR.

  • We have constituted an Information Asset Register (IAR), which includes information on all the roles IST - International Software Techniques S.A. assumes, such as a Data Controller and Data Processor. It details on various categories of Personal and / or Sensitive Data processed by our organization and which department is getting access to which data and for what purpose. It has a comprehensive coverage of all our processes and procedures.

  • We have assessed our sub-processors (third party service providers, partners) and streamlined the contract process with them to ensure that they have addressed the pressing needs of the current security and privacy world.

  • We have officially appointed a Data Protection Officer (DPO).

  • Our application teams have embraced the concept of privacy by design. These provisions may vary based on a product’s characteristics and domain.

  • We now require the signing of a Data Processing Addendum (DPA) to be compliant with the data processing requirements of GDPR.

  • We conducted Data Protection Impact Assessments (DPIA). Based on the results, we have put in place appropriate controls on data processing and management.

  • We conducted internal audits of our products, processes, operations, and management. The findings were communicated to our stakeholders, who have worked out the solutions to the identified problems.

  • Based on the DPIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks. We have developed in-house tools for better governance of data.

  • We have cleaned up our databases to ensure that we have only the latest and most accurate information.

  • When needed, breach notifications will be done according to our internal privacy incident response policy. Customers will be notified of a breach within 72 hours after we become aware of it. For incidents specific to an individual user or an organization, we will notify the concerned party promptly.

Notes
 
  • There is currently no nationally or internationally recognized certification or license required or available for GDPR and / or for the designation of a Data Protection Officer.

  • ​Any GDPR-related questions and any Data Subject requests can be addressed to our Data Protection Officer.

  • Contact details of our local data protection authority:

Hellenic Data Protection Authority (HDPA)

Address: Kifissias 1 - 3, 115 23 Athens, Greece

Call Centre: +30 210 6475600

Fax: +30 210 6475628

Web Address: www.dpa.gr