Our Commitment to the General Data Protection Regulation (GDPR)
We are committed to making sure that our products and services comply with GDPR. At Vivametrica, we are committed to protecting the privacy of our users. Vivametrica has thoroughly analyzed GDPR requirements and their relevance to us as both a data controller and data processor. In response, Vivametrica has implemented an organization-wide GDPR compliance strategy intended to meet all requirements.
Our Compliance Strategy
The GDPR’s updated requirements are significant. Vivametrica implemented the following measures:
Assess
- Executive Leadership Team endorsed development of GDPR Program
Plan
- Established a cross-functional GDPR task force and assigned responsibilities
- Prepared implementation plan to deliver on Assessment recommendations
Execute
- Conducted data discovery of personal information across the enterprise
- Inventoried and documented records of processing activities
- Implemented action plans by each affected line of business
Maintain
- Maintain registry of processing activities
- Conduct privacy impact assessments on a regular cadence
- Update risk framework on a regular basis
- Confirm operating effectiveness of risk controls
Vivametrica as a Data Controller
As a company that collects and processes the personal health data, we have implemented key GDPR preparedness initiatives including:
- Consent management – Consent standards have increased under the GDPR. Our team has conducted a thorough review of Vivametrica’s consent management practices and have brought them in line with the GDPR. This includes active opt-in to continue to receive communications from us as well as including privacy purpose statements when we collect personal health info.
- Human Resources – The GDPR is not just about our customers. Although there are GDPR efforts focused on external data, the new regulation also extends to the personal data we hold regarding our job applicants and employees. Our Human Resources team has been working on several initiatives to prepare for the GDPR including:
- Optimizing our HR systems to manage applicant and employee information in accordance with the GDPR.
- Reviewing HR systems to better manage the information we hold, why we hold it, who has access to it and for how long we hold it.
- Developing Consent and Privacy Notices to provide transparency to our candidates and employees of the information we hold, why we hold it, who has access to it and for how long we hold it.
- Reviewing HR related policies and procedures to ensure data privacy compliance with the new legislation.
- Records management – We are working to ensure our records management policy includes retention schedules that authorize disposition when customer information is inactive, outdated or no longer needed. This will support the data minimization principle and assist us to avoid retaining the personal data of our customers for a longer period than necessary.
- Security – Data privacy and data security are two equally important parts of a comprehensive data protection strategy. While Vivametrica employs rigorous technical and administrative safeguards, we are aware of the new and increased security standards that GDPR introduces and will continue to evaluate and update our practices to ensure that they align with industry standards.
- Policies, procedures and training – We continuously review relevant policies and procedures to ensure they are up to date and reflect new privacy requirements, including those relating to Security, IT, Privacy and HR. You can read our Vivametrica’s Privacy Policy on our website. Our staff is frequently trained to comply with new policies and procedures.
Vivametrica as a Data Processor
It is important that we fulfill our commitments under the GDPR as a data processor to our users, the data controllers, who are using a third-party like us to process personal data. Some of our key activities in this area are:
- Rights of data subjects – GDPR gives individuals the right to access the data provided to and processed by the controller for purposes including deletion, rectification, transfer to another controller and objection to processing. Some of the data we house on behalf of users is owned by the user, who is the data controller. Our users also maintain the access control to their data, which means in the majority of cases, as data controller they can respond to and action requests from their data subjects. As a data processor, we do not respond directly to requests from data subjects. We continue to further enhance our processes and applications to better enable customers to respond to lawful requests from their data subjects.
- Contractual commitments – We work with our customers and users to ensure that the GDPR obligations are included in the contractual commitments, including the use and management of sub-processors, timely security support and breach notifications in accordance with the new requirements.
- Breach notification – Operationalizing incident management and meeting the 72-hour breach reporting window is, and will continue to be, a challenge for all organizations. Vivametrica has a well-established Data Breach Response Process that spans from the time a suspected breach has occurred to post-incident response closure steps. Vivametrica has reviewed data breach notification laws in all regions in which we operate, including the requirements under the GDPR, and is committed to compliance.
Helping our customers along the GDPR journey
Vivametrica is committed to helping our customers along their journey to GDPR readiness and compliance. However, it is important to recognize that compliance is a shared responsibility. Regulatory compliance requires a combination of processes, policies, expertise, education and training as well as the right technology tools. We believe that the path to compliance requires a shared understanding and common culture around privacy.